[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c.
[   38.490613][   T26] audit: type=1800 audit(1554648372.184:25): pid=7727 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   38.511150][   T26] audit: type=1800 audit(1554648372.184:26): pid=7727 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   38.532209][   T26] audit: type=1800 audit(1554648372.184:27): pid=7727 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.76' (ECDSA) to the list of known hosts.
2019/04/07 14:46:37 fuzzer started
2019/04/07 14:46:40 dialing manager at 10.128.0.26:34543
2019/04/07 14:46:41 syscalls: 2408
2019/04/07 14:46:41 code coverage: enabled
2019/04/07 14:46:41 comparison tracing: enabled
2019/04/07 14:46:41 extra coverage: extra coverage is not supported by the kernel
2019/04/07 14:46:41 setuid sandbox: enabled
2019/04/07 14:46:41 namespace sandbox: enabled
2019/04/07 14:46:41 Android sandbox: /sys/fs/selinux/policy does not exist
2019/04/07 14:46:41 fault injection: enabled
2019/04/07 14:46:41 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled
2019/04/07 14:46:41 net packet injection: enabled
2019/04/07 14:46:41 net device setup: enabled
14:48:53 executing program 0:
r0 = inotify_init1(0x0)
fcntl$setown(r0, 0x8, 0xffffffffffffffff)
fcntl$getownex(r0, 0x10, &(0x7f0000000240)={0x0, <r1=>0x0})
ptrace$setopts(0x4206, r1, 0x0, 0x0)

syzkaller login: [  199.825852][ T7892] IPVS: ftp: loaded support on port[0] = 21
14:48:53 executing program 1:
capset(&(0x7f0000560ff8)={0x19980330}, &(0x7f00003fd000))
perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x800000000000012, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
semop(0x0, &(0x7f0000000480)=[{}], 0x1)

[  199.931263][ T7892] chnl_net:caif_netlink_parms(): no params data found
[  200.016231][ T7892] bridge0: port 1(bridge_slave_0) entered blocking state
[  200.039040][ T7892] bridge0: port 1(bridge_slave_0) entered disabled state
[  200.047482][ T7892] device bridge_slave_0 entered promiscuous mode
[  200.071593][ T7892] bridge0: port 2(bridge_slave_1) entered blocking state
[  200.089004][ T7892] bridge0: port 2(bridge_slave_1) entered disabled state
[  200.097067][ T7892] device bridge_slave_1 entered promiscuous mode
[  200.126820][ T7895] IPVS: ftp: loaded support on port[0] = 21
[  200.147074][ T7892] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  200.173841][ T7892] bond0: Enslaving bond_slave_1 as an active interface with an up link
14:48:53 executing program 2:
r0 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0)
close(r0)
r1 = syz_open_dev$loop(&(0x7f0000ca9ff5)='/dev/loop#\x00', 0x0, 0x105082)
r2 = memfd_create(&(0x7f0000000180)='\x00GG\xf8\xf74<\x1ax\xef5\xcc4x\x91p\xac72\xfa\x97\bV\xc2\x16^+\xc5\xf3\x13>\xb99\xeat\xaf\xac3\x95\x1eHJ\x17\x9f\xd2\\G}\xc2\xfe\x1f2\xf7\xae\xe59\xaf\xcc\x99\xc6\xd0\xe8_\x19-\x85/n\xd8\nDs', 0x0)
pwritev(r2, &(0x7f0000000080)=[{&(0x7f00000000c0)="a8", 0x1}], 0x1, 0x81003)
ioctl$LOOP_CHANGE_FD(r1, 0x4c00, r2)
mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x800002, 0x11, r0, 0x0)
pipe(&(0x7f0000000040)={<r3=>0xffffffffffffffff, <r4=>0xffffffffffffffff})
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000100)={0xffffffffffffffff, <r5=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r5, 0x8912, 0x400200)
write(r4, &(0x7f00000001c0), 0x526987c9)
read(r3, &(0x7f0000000200)=""/250, 0x50c7e3e3)

[  200.217812][ T7892] team0: Port device team_slave_0 added
[  200.226247][ T7892] team0: Port device team_slave_1 added
[  200.373218][ T7892] device hsr_slave_0 entered promiscuous mode
14:48:54 executing program 3:
socket$inet6(0xa, 0x3, 0x6)
fdatasync(0xffffffffffffff9c)
socket$inet6(0xa, 0x1000000000002, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
sendmsg$IPVS_CMD_DEL_DEST(0xffffffffffffffff, &(0x7f0000000580)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x4}, 0xc, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="9287b748246deeca588edacd5c1cc596a848a41b96d72d9ff1ffcd245d4623bea592fa911a59141ad79770daa350bbd501b4cb95cf19700700000000000000625d08ef137426f4997e282f68591512c4636d34e1d3cc668e8b4f8843a8485590d2eacc2773f295290a92d6f061f3d87a22968a81d80da9a6c39f5c7aa09f49456049763d7bb11d1171be83d26f047ce47c565dbf107ab9605a473e04c7e779a0c244ca4388df158abb"], 0x1}, 0x1, 0x0, 0x0, 0x90}, 0xfffffffffffffffd)
r0 = socket$inet6(0xa, 0x6, 0x0)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20}, 0x1c)
r1 = socket$inet_dccp(0x2, 0x6, 0x0)
listen(r0, 0x6)
setsockopt(r1, 0x10d, 0x800000000d, &(0x7f00001c9fff)="03", 0x1)
connect$inet(r1, &(0x7f0000e5c000)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x20}}, 0x10)
r2 = accept(r0, 0x0, &(0x7f00000001c0)=0x281)
sendmmsg(r1, &(0x7f0000005700)=[{{&(0x7f0000003900)=@pptp, 0x80, &(0x7f0000003b80), 0x3a5, &(0x7f0000003bc0), 0x72}}], 0x3a6, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000100)='erspan0\x00', 0xfc)
sendmmsg(r1, &(0x7f000000a080)=[{{&(0x7f0000005440)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x2, {0xa, 0x0, 0x0, @ipv4={[], [], @local}}}}, 0x80, &(0x7f0000005640)=[{&(0x7f00000097c0)="bf", 0x1}], 0x1, 0x0, 0x0, 0x1}}], 0x1, 0x0)

[  200.430350][ T7892] device hsr_slave_1 entered promiscuous mode
[  200.529045][ T7892] bridge0: port 2(bridge_slave_1) entered blocking state
[  200.536330][ T7892] bridge0: port 2(bridge_slave_1) entered forwarding state
[  200.544387][ T7892] bridge0: port 1(bridge_slave_0) entered blocking state
[  200.551539][ T7892] bridge0: port 1(bridge_slave_0) entered forwarding state
[  200.582452][ T7898] IPVS: ftp: loaded support on port[0] = 21
[  200.602354][ T7895] chnl_net:caif_netlink_parms(): no params data found
[  200.636533][ T7900] IPVS: ftp: loaded support on port[0] = 21
14:48:54 executing program 4:

[  200.702723][ T7895] bridge0: port 1(bridge_slave_0) entered blocking state
[  200.711097][ T7895] bridge0: port 1(bridge_slave_0) entered disabled state
[  200.720388][ T7895] device bridge_slave_0 entered promiscuous mode
[  200.728467][ T7895] bridge0: port 2(bridge_slave_1) entered blocking state
[  200.736819][ T7895] bridge0: port 2(bridge_slave_1) entered disabled state
[  200.746128][ T7895] device bridge_slave_1 entered promiscuous mode
[  200.854761][ T7895] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  200.882313][ T7895] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  200.972109][ T7892] 8021q: adding VLAN 0 to HW filter on device bond0
[  200.974232][ T7904] IPVS: ftp: loaded support on port[0] = 21
[  200.990749][ T7892] 8021q: adding VLAN 0 to HW filter on device team0
[  201.021378][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  201.035551][    T5] bridge0: port 1(bridge_slave_0) entered disabled state
[  201.055589][    T5] bridge0: port 2(bridge_slave_1) entered disabled state
[  201.067457][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  201.085037][ T7895] team0: Port device team_slave_0 added
[  201.100513][ T7895] team0: Port device team_slave_1 added
14:48:54 executing program 5:
r0 = socket$inet6(0xa, 0x2, 0x0)
socket$packet(0x11, 0x2, 0x300)
connect$inet6(r0, &(0x7f0000000100)={0xa, 0x0, 0x0, @dev, 0x8}, 0x1c)
connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e22, 0x0, @ipv4={[], [], @multicast1}}, 0x1c)
sendmmsg(r0, &(0x7f00000002c0), 0x400000000000174, 0x0)

[  201.125184][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  201.134488][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  201.146609][    T5] bridge0: port 1(bridge_slave_0) entered blocking state
[  201.153780][    T5] bridge0: port 1(bridge_slave_0) entered forwarding state
[  201.166488][ T7898] chnl_net:caif_netlink_parms(): no params data found
[  201.251942][ T7895] device hsr_slave_0 entered promiscuous mode
[  201.279222][ T7895] device hsr_slave_1 entered promiscuous mode
[  201.382626][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  201.392359][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  201.401335][    T5] bridge0: port 2(bridge_slave_1) entered blocking state
[  201.408477][    T5] bridge0: port 2(bridge_slave_1) entered forwarding state
[  201.464832][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  201.475939][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  201.496861][ T7908] IPVS: ftp: loaded support on port[0] = 21
[  201.506077][ T7900] chnl_net:caif_netlink_parms(): no params data found
[  201.533698][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  201.543067][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  201.552778][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  201.561531][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  201.570123][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  201.578438][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  201.587112][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  201.595667][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  201.606378][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  201.618445][ T7898] bridge0: port 1(bridge_slave_0) entered blocking state
[  201.627189][ T7898] bridge0: port 1(bridge_slave_0) entered disabled state
[  201.635137][ T7898] device bridge_slave_0 entered promiscuous mode
[  201.643157][ T7898] bridge0: port 2(bridge_slave_1) entered blocking state
[  201.650313][ T7898] bridge0: port 2(bridge_slave_1) entered disabled state
[  201.658748][ T7898] device bridge_slave_1 entered promiscuous mode
[  201.688152][ T7892] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  201.750685][ T7898] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  201.763092][ T7898] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  201.774722][ T7900] bridge0: port 1(bridge_slave_0) entered blocking state
[  201.782260][ T7900] bridge0: port 1(bridge_slave_0) entered disabled state
[  201.790134][ T7900] device bridge_slave_0 entered promiscuous mode
[  201.818137][ T7898] team0: Port device team_slave_0 added
[  201.827630][ T7898] team0: Port device team_slave_1 added
[  201.836219][ T7900] bridge0: port 2(bridge_slave_1) entered blocking state
[  201.844923][ T7900] bridge0: port 2(bridge_slave_1) entered disabled state
[  201.863141][ T7900] device bridge_slave_1 entered promiscuous mode
[  201.887753][ T7900] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  201.897930][ T7900] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  201.961566][ T7900] team0: Port device team_slave_0 added
[  202.030767][ T7898] device hsr_slave_0 entered promiscuous mode
[  202.079282][ T7898] device hsr_slave_1 entered promiscuous mode
[  202.126204][ T7900] team0: Port device team_slave_1 added
[  202.147296][ T7892] 8021q: adding VLAN 0 to HW filter on device batadv0
[  202.176358][ T7904] chnl_net:caif_netlink_parms(): no params data found
[  202.262253][ T7900] device hsr_slave_0 entered promiscuous mode
[  202.311667][ T7900] device hsr_slave_1 entered promiscuous mode
[  202.380816][ T7895] 8021q: adding VLAN 0 to HW filter on device bond0
[  202.407396][ T7908] chnl_net:caif_netlink_parms(): no params data found
14:48:56 executing program 0:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})

[  202.435340][ T7904] bridge0: port 1(bridge_slave_0) entered blocking state
[  202.442894][ T7904] bridge0: port 1(bridge_slave_0) entered disabled state
[  202.451269][ T7904] device bridge_slave_0 entered promiscuous mode
[  202.498370][ T7904] bridge0: port 2(bridge_slave_1) entered blocking state
[  202.506911][ T7904] bridge0: port 2(bridge_slave_1) entered disabled state
[  202.515323][ T7904] device bridge_slave_1 entered promiscuous mode
[  202.526178][ T7895] 8021q: adding VLAN 0 to HW filter on device team0
[  202.552128][ T7918] binder: 7917:7918 ioctl c018620b 0 returned -14
[  202.566853][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  202.575253][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  202.595310][ T7904] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  202.606987][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  202.616074][ T7919] binder: 7917:7919 transaction failed 29189/-22, size 24-8 line 2995
[  202.624691][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  202.626999][ T7919] binder: 7917:7919 BC_INCREFS_DONE u0000000000000000 no match
[  202.633181][    T5] bridge0: port 1(bridge_slave_0) entered blocking state
[  202.647975][    T5] bridge0: port 1(bridge_slave_0) entered forwarding state
[  202.656250][ T2888] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[  202.665312][ T7908] bridge0: port 1(bridge_slave_0) entered blocking state
[  202.672838][ T7908] bridge0: port 1(bridge_slave_0) entered disabled state
[  202.680698][ T7908] device bridge_slave_0 entered promiscuous mode
[  202.692851][ T7904] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  202.717762][ T7908] bridge0: port 2(bridge_slave_1) entered blocking state
[  202.726915][ T7908] bridge0: port 2(bridge_slave_1) entered disabled state
[  202.734912][ T7908] device bridge_slave_1 entered promiscuous mode
[  202.752631][ T7904] team0: Port device team_slave_0 added
[  202.763420][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  202.772084][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  202.780921][ T7905] bridge0: port 2(bridge_slave_1) entered blocking state
[  202.789044][ T7905] bridge0: port 2(bridge_slave_1) entered forwarding state
[  202.796605][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  202.805328][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  202.838227][ T7904] team0: Port device team_slave_1 added
[  202.853323][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  202.863979][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  202.873342][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  202.882105][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  202.890503][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  202.925085][ T7908] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  202.935774][ T7908] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  202.957040][ T7898] 8021q: adding VLAN 0 to HW filter on device bond0
[  203.002065][ T7904] device hsr_slave_0 entered promiscuous mode
[  203.049247][ T7904] device hsr_slave_1 entered promiscuous mode
[  203.106324][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  203.114678][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  203.124115][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  203.132743][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  203.143159][ T7895] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  203.168293][ T7908] team0: Port device team_slave_0 added
[  203.177690][ T7908] team0: Port device team_slave_1 added
[  203.190447][ T7900] 8021q: adding VLAN 0 to HW filter on device bond0
[  203.213430][ T7895] 8021q: adding VLAN 0 to HW filter on device batadv0
[  203.227970][ T7898] 8021q: adding VLAN 0 to HW filter on device team0
[  203.242821][ T7901] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  203.251441][ T7901] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  203.281173][ T7901] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  203.290264][ T7901] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  203.298984][ T7901] bridge0: port 1(bridge_slave_0) entered blocking state
[  203.306107][ T7901] bridge0: port 1(bridge_slave_0) entered forwarding state
[  203.314423][ T7901] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
14:48:57 executing program 0:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
r1 = creat(&(0x7f0000000700)='./bus\x00', 0x0)
r2 = open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0)
r3 = creat(&(0x7f0000000240)='./bus\x00', 0x0)
ftruncate(r3, 0x8200)
r4 = open(&(0x7f0000001840)='./bus\x00', 0x0, 0x0)
sendfile(r1, r4, 0x0, 0x20000000ffe)
sendfile(r1, r2, 0x0, 0x8000fffffffe)

[  203.323877][ T7901] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  203.332344][ T7901] bridge0: port 2(bridge_slave_1) entered blocking state
[  203.339448][ T7901] bridge0: port 2(bridge_slave_1) entered forwarding state
[  203.346177][ T7919] binder: 7917:7919 ioctl c018620b 0 returned -14
[  203.351168][ T7900] 8021q: adding VLAN 0 to HW filter on device team0
[  203.362604][ T7920] binder: 7917:7920 transaction failed 29189/-22, size 24-8 line 2995
[  203.365581][ T7922] binder: 7917:7922 BC_INCREFS_DONE u0000000000000000 no match
[  203.411448][ T7908] device hsr_slave_0 entered promiscuous mode
[  203.457334][   T26] kauditd_printk_skb: 3 callbacks suppressed
[  203.457350][   T26] audit: type=1804 audit(1554648537.144:31): pid=7926 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1
[  203.471182][ T7908] device hsr_slave_1 entered promiscuous mode
[  203.495074][   T26] audit: type=1804 audit(1554648537.144:32): pid=7926 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1
[  203.495102][   T26] audit: type=1804 audit(1554648537.154:33): pid=7926 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1
[  203.609178][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[  203.628662][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  203.638080][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  203.653739][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  203.676216][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  203.687799][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  203.705285][   T22] bridge0: port 1(bridge_slave_0) entered blocking state
[  203.712501][   T22] bridge0: port 1(bridge_slave_0) entered forwarding state
[  203.727255][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[  203.803147][ T7929] capability: warning: `syz-executor.1' uses 32-bit capabilities (legacy support in use)
[  203.822891][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  203.832735][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  203.842722][   T22] bridge0: port 2(bridge_slave_1) entered blocking state
[  203.850290][   T22] bridge0: port 2(bridge_slave_1) entered forwarding state
[  203.858738][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  203.868799][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  203.881834][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  203.890895][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  203.899824][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  203.909633][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
14:48:57 executing program 1:
r0 = socket$inet(0xa, 0x801, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
getsockopt$sock_buf(r0, 0x1, 0x10, 0x0, &(0x7f0000000040))

[  203.945886][ T7904] 8021q: adding VLAN 0 to HW filter on device bond0
[  203.971376][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  203.987637][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  204.007394][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  204.025594][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
14:48:57 executing program 1:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000940)='/dev/uhid\x00', 0x802, 0x0)
r1 = open(&(0x7f00000001c0)='./bus\x00', 0x141042, 0x0)
write$UHID_CREATE2(r1, &(0x7f0000000080)={0xb, 'syz1\x00', 'syz1\x00', 'syz1\x00', 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, '?'}, 0x119)
write$P9_RREADLINK(r1, &(0x7f0000000300)=ANY=[], 0xffffff93)
sendfile(r0, r1, &(0x7f0000d83ff8), 0x8000fffffffe)

[  204.053216][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  204.062926][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  204.071928][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  204.081069][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  204.096332][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  204.114571][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  204.148865][ T7900] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  204.168400][ T7900] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  204.193440][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  204.202712][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  204.224742][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  204.232770][   T26] audit: type=1804 audit(1554648537.914:34): pid=7939 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1
[  204.253178][ T7937] UHID_CREATE from different security context by process 8 (syz-executor.1), this is not allowed.
[  204.279435][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  204.301339][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  204.334996][    T5] hid-generic 0000:0000:0000.0001: item fetching failed at offset -1478943807
[  204.357790][ T7898] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  204.369439][    T5] hid-generic: probe of 0000:0000:0000.0001 failed with error -22
[  204.381861][ T7904] 8021q: adding VLAN 0 to HW filter on device team0
[  204.395994][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  204.406003][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  204.423054][ T7900] 8021q: adding VLAN 0 to HW filter on device batadv0
[  204.457126][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  204.473750][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  204.487474][   T17] bridge0: port 1(bridge_slave_0) entered blocking state
[  204.494633][   T17] bridge0: port 1(bridge_slave_0) entered forwarding state
[  204.510629][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  204.523971][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  204.535035][   T17] bridge0: port 2(bridge_slave_1) entered blocking state
[  204.542299][   T17] bridge0: port 2(bridge_slave_1) entered forwarding state
[  204.569308][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  204.586655][ T7898] 8021q: adding VLAN 0 to HW filter on device batadv0
[  204.595292][   T26] audit: type=1804 audit(1554648538.284:35): pid=7926 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1
[  204.636455][ T7908] 8021q: adding VLAN 0 to HW filter on device bond0
[  204.665044][    C1] hrtimer: interrupt took 25880 ns
14:48:58 executing program 0:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$ARPT_SO_SET_REPLACE(r0, 0x0, 0x60, &(0x7f00000004c0)=ANY=[@ANYBLOB="000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0001801000000000000000000000000000000000000000000000000000028004e46515545554500000000000000000000000000000000000000000000000000000000000000e0000002e0000002ffffffff000000003a3988bdc7fd000000000000000000000000000000000000ffffff000000000000000000000000000d073d89577c000000000000000000000000000000000000ffffff00ffff00000000000000000000000004000081fffb0003035169703667726574617030000000000000687773696d300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000000000000000000f0001801000000000000000011000000000000000000000000000000000028004e46515545554500000000000000000000000000000000000000000000020104fdff03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0001802000000000000000000000000000000000000000000000000000028015345434d41524b0000000000000000000000000000000000000000000000010000000a4700797374656d5f753a6f626a6563745f723a676574747901262d74635f743a7330000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000e8000000000000000000000000000000000000000000000000002800000000000000000000000000000000000000000000000000000000000000feffffff00000000"], 0x1)
r1 = socket$inet6(0xa, 0x80003, 0x5)
connect$inet6(r1, &(0x7f0000000480)={0xa, 0x0, 0x0, @dev, 0x3}, 0x1c)
syz_open_dev$dmmidi(&(0x7f0000000040)='/dev/dmmidi#\x00', 0x101, 0x10800)
r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ptmx\x00', 0x40, 0x0)
ioctl$TIOCPKT(r2, 0x5420, &(0x7f0000000000)=0xa35)
mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount$9p_unix(&(0x7f0000000100)='./file0\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='9p\x00', 0x200000, &(0x7f0000000b80)=ANY=[@ANYBLOB="2c646d61636b66736861743d776c616e31776c616e31747275737465647365ec696e7578273a252c00"])

[  204.741998][   T26] audit: type=1804 audit(1554648538.344:36): pid=7941 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1
[  204.773144][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[  204.781829][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  204.826160][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  204.841132][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  204.849600][   T26] audit: type=1804 audit(1554648538.364:37): pid=7944 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1
[  204.875277][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[  204.884713][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  204.902389][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  204.911656][ T7950] 9pnet_virtio: no channels available for device ./file0
[  204.931904][ T7904] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  204.972897][ T7904] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  204.976680][ T7959] 9pnet_virtio: no channels available for device ./file0
14:48:58 executing program 3:
socket$inet6(0xa, 0x3, 0x6)
fdatasync(0xffffffffffffff9c)
socket$inet6(0xa, 0x1000000000002, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
sendmsg$IPVS_CMD_DEL_DEST(0xffffffffffffffff, &(0x7f0000000580)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x4}, 0xc, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="9287b748246deeca588edacd5c1cc596a848a41b96d72d9ff1ffcd245d4623bea592fa911a59141ad79770daa350bbd501b4cb95cf19700700000000000000625d08ef137426f4997e282f68591512c4636d34e1d3cc668e8b4f8843a8485590d2eacc2773f295290a92d6f061f3d87a22968a81d80da9a6c39f5c7aa09f49456049763d7bb11d1171be83d26f047ce47c565dbf107ab9605a473e04c7e779a0c244ca4388df158abb"], 0x1}, 0x1, 0x0, 0x0, 0x90}, 0xfffffffffffffffd)
r0 = socket$inet6(0xa, 0x6, 0x0)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20}, 0x1c)
r1 = socket$inet_dccp(0x2, 0x6, 0x0)
listen(r0, 0x6)
setsockopt(r1, 0x10d, 0x800000000d, &(0x7f00001c9fff)="03", 0x1)
connect$inet(r1, &(0x7f0000e5c000)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x20}}, 0x10)
r2 = accept(r0, 0x0, &(0x7f00000001c0)=0x281)
sendmmsg(r1, &(0x7f0000005700)=[{{&(0x7f0000003900)=@pptp, 0x80, &(0x7f0000003b80), 0x3a5, &(0x7f0000003bc0), 0x72}}], 0x3a6, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000100)='erspan0\x00', 0xfc)
sendmmsg(r1, &(0x7f000000a080)=[{{&(0x7f0000005440)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x2, {0xa, 0x0, 0x0, @ipv4={[], [], @local}}}}, 0x80, &(0x7f0000005640)=[{&(0x7f00000097c0)="bf", 0x1}], 0x1, 0x0, 0x0, 0x1}}], 0x1, 0x0)

14:48:58 executing program 0:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000040)={0x0, 0xfffffffffffff000, &(0x7f0000000000)={&(0x7f0000000140)={0x14, 0x1c, 0xffffff1f, 0x0, 0x0, {0x1, 0x6000, 0x6000}}, 0x14}}, 0x0)
recvmmsg(r0, &(0x7f0000004040)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0)

[  205.026133][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  205.071075][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  205.092554][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
14:48:58 executing program 0:
perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0xee6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)={0x2, 0x3, 0x0, 0x3, 0x9, 0x0, 0x0, 0x0, [@sadb_key={0x2, 0x9, 0x8, 0x0, "e5"}, @sadb_sa={0x2, 0x1, 0x0, 0x0, 0x0, 0x0, 0x2}, @sadb_address={0x3, 0x5, 0x0, 0x0, 0x0, @in={0x2, 0x0, @multicast1}}]}, 0x48}}, 0x0)

[  205.125415][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  205.150301][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  205.231234][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  205.250556][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  205.282712][ T7908] 8021q: adding VLAN 0 to HW filter on device team0
[  205.318181][ T7904] 8021q: adding VLAN 0 to HW filter on device batadv0
14:48:59 executing program 2:
ioctl$SG_GET_PACK_ID(0xffffffffffffffff, 0x227c, &(0x7f0000000180))
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10)
r1 = accept$alg(r0, 0x0, 0x0)
sendmsg$alg(r1, &(0x7f0000001380)={0x0, 0x0, 0x0, 0x0, &(0x7f00000000c0)=[@op={0x18, 0x117, 0x3, 0x1}, @assoc={0x18, 0x117, 0x4, 0x2f5}], 0x30}, 0x0)
write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8)
recvmmsg(r1, &(0x7f0000007e00)=[{{&(0x7f0000001240)=@alg, 0x80, &(0x7f0000004700)=[{&(0x7f00000012c0)=""/167, 0xf}, {&(0x7f00000023c0)=""/49, 0x200023f1}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x3, &(0x7f0000004780)=""/245, 0xf5}}], 0x30, 0x0, &(0x7f0000008000)={0x0, 0x989680})
ioctl$KVM_PPC_GET_PVINFO(0xffffffffffffffff, 0x4080aea1, &(0x7f0000000100)=""/4)

14:48:59 executing program 1:
r0 = open(&(0x7f0000000040)='./file0\x00', 0x2000000000008040, 0x0)
fcntl$setsig(r0, 0xa, 0x11)
fcntl$setlease(r0, 0x400, 0x0)
truncate(&(0x7f00000000c0)='./file0\x00', 0x0)
r1 = gettid()
timer_create(0x0, &(0x7f0000044000)={0x0, 0x12}, &(0x7f0000044000))
timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x989680}}, 0x0)
tkill(r1, 0x1004000000016)
fcntl$setlease(r0, 0x400, 0x2)

[  205.385032][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  205.394394][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  205.418084][ T7905] bridge0: port 1(bridge_slave_0) entered blocking state
[  205.425285][ T7905] bridge0: port 1(bridge_slave_0) entered forwarding state
[  205.453440][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  205.495218][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  205.515178][ T7905] bridge0: port 2(bridge_slave_1) entered blocking state
[  205.522386][ T7905] bridge0: port 2(bridge_slave_1) entered forwarding state
[  205.536391][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
[  205.545739][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[  205.562085][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[  205.577128][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  205.588856][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready
[  205.605820][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  205.627762][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
14:48:59 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0})

[  205.646369][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  205.664052][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[  205.691938][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  205.702394][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[  205.711607][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  205.723470][ T7908] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  205.746174][ T7998] binder: 7997:7998 transaction failed 29189/-22, size 24-8 line 2995
[  205.757622][ T7998] binder: 7997:7998 transaction failed 29189/-22, size 24-8 line 2995
[  205.767332][ T7999] binder: 7997:7999 BC_INCREFS_DONE u0000000000000000 no match
[  205.777100][ T2888] binder: undelivered TRANSACTION_ERROR: 29189
[  205.789239][ T2888] binder: undelivered TRANSACTION_ERROR: 29189
[  205.806613][ T7908] 8021q: adding VLAN 0 to HW filter on device batadv0
[  205.881824][ T8003] BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor.5/8003
[  205.891436][ T8003] caller is sk_mc_loop+0x1d/0x210
[  205.896566][ T8003] CPU: 0 PID: 8003 Comm: syz-executor.5 Not tainted 5.1.0-rc3-next-20190405 #19
[  205.905577][ T8003] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  205.916698][ T8003] Call Trace:
[  205.920013][ T8003]  dump_stack+0x172/0x1f0
[  205.924362][ T8003]  __this_cpu_preempt_check+0x246/0x270
[  205.929939][ T8003]  sk_mc_loop+0x1d/0x210
[  205.934192][ T8003]  ip_mc_output+0x2ef/0xf70
[  205.938713][ T8003]  ? __ip_queue_xmit+0x1bf0/0x1bf0
[  205.943858][ T8003]  ? ip_append_data.part.0+0x170/0x170
[  205.949326][ T8003]  ? ip_make_skb+0x1b1/0x2c0
[  205.953926][ T8003]  ? ip_reply_glue_bits+0xc0/0xc0
[  205.958964][ T8003]  ip_local_out+0xc4/0x1b0
[  205.963410][ T8003]  ip_send_skb+0x42/0xf0
[  205.967665][ T8003]  udp_send_skb.isra.0+0x6b2/0x1180
[  205.972877][ T8003]  ? xfrm_lookup_route+0x5b/0x1f0
[  205.977934][ T8003]  udp_sendmsg+0x1dfd/0x2820
[  205.982555][ T8003]  ? ip_reply_glue_bits+0xc0/0xc0
[  205.987599][ T8003]  ? udp4_lib_lookup_skb+0x440/0x440
[  205.992906][ T8003]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[  205.998819][ T8003]  ? find_next_and_bit+0x19a/0x200
[  206.003956][ T8003]  ? __lock_acquire+0x548/0x3fb0
[  206.009435][ T8003]  udpv6_sendmsg+0x13a4/0x28d0
[  206.014212][ T8003]  ? udpv6_sendmsg+0x13a4/0x28d0
[  206.019173][ T8003]  ? udp6_unicast_rcv_skb.isra.0+0x2f0/0x2f0
[  206.025184][ T8003]  ? aa_profile_af_perm+0x320/0x320
[  206.030401][ T8003]  ? __might_fault+0x12b/0x1e0
[  206.035182][ T8003]  ? find_held_lock+0x35/0x130
[  206.039960][ T8003]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  206.046799][ T8003]  ? rw_copy_check_uvector+0x2a6/0x330
[  206.052284][ T8003]  ? ___might_sleep+0x163/0x280
[  206.057154][ T8003]  ? __might_sleep+0x95/0x190
[  206.061847][ T8003]  ? debug_lockdep_rcu_enabled+0x71/0xa0
[  206.067929][ T8003]  ? aa_sk_perm+0x288/0x880
[  206.072456][ T8003]  ? aa_sock_msg_perm.isra.0+0xba/0x170
[  206.078022][ T8003]  inet_sendmsg+0x147/0x5e0
[  206.082554][ T8003]  ? udp6_unicast_rcv_skb.isra.0+0x2f0/0x2f0
[  206.088556][ T8003]  ? inet_sendmsg+0x147/0x5e0
[  206.093253][ T8003]  ? ipip_gro_receive+0x100/0x100
[  206.098292][ T8003]  sock_sendmsg+0xdd/0x130
[  206.102735][ T8003]  ___sys_sendmsg+0x3e2/0x930
[  206.107448][ T8003]  ? copy_msghdr_from_user+0x430/0x430
[  206.112917][ T8003]  ? lock_downgrade+0x880/0x880
[  206.117775][ T8003]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  206.124028][ T8003]  ? kasan_check_read+0x11/0x20
[  206.128890][ T8003]  ? __fget+0x381/0x550
[  206.133063][ T8003]  ? ksys_dup3+0x3e0/0x3e0
[  206.137795][ T8003]  ? __fget_light+0x1a9/0x230
[  206.142483][ T8003]  ? __fdget+0x1b/0x20
[  206.146573][ T8003]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  206.152832][ T8003]  ? sockfd_lookup_light+0xcb/0x180
[  206.158041][ T8003]  __sys_sendmmsg+0x1bf/0x4d0
[  206.162739][ T8003]  ? __ia32_sys_sendmsg+0xb0/0xb0
[  206.167801][ T8003]  ? _copy_to_user+0xc9/0x120
[  206.172497][ T8003]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  206.178772][ T8003]  ? put_timespec64+0xda/0x140
[  206.183558][ T8003]  ? nsecs_to_jiffies+0x30/0x30
[  206.188432][ T8003]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  206.193905][ T8003]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  206.199376][ T8003]  ? do_syscall_64+0x26/0x610
[  206.204061][ T8003]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  206.210137][ T8003]  ? do_syscall_64+0x26/0x610
[  206.214829][ T8003]  __x64_sys_sendmmsg+0x9d/0x100
[  206.219781][ T8003]  do_syscall_64+0x103/0x610
[  206.224415][ T8003]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  206.230306][ T8003] RIP: 0033:0x4582b9
[  206.234205][ T8003] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  206.253812][ T8003] RSP: 002b:00007f1ae77ecc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[  206.262310][ T8003] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582b9
[  206.270278][ T8003] RDX: 0400000000000174 RSI: 00000000200002c0 RDI: 0000000000000003
[  206.278252][ T8003] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
[  206.286236][ T8003] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ae77ed6d4
[  206.294212][ T8003] R13: 00000000004c5230 R14: 00000000004d9380 R15: 00000000ffffffff
[  206.304140][    C0] protocol 88fb is buggy, dev hsr_slave_0
[  206.309192][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  206.310111][    C0] protocol 88fb is buggy, dev hsr_slave_1
[  206.315849][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  206.330426][ T8003] BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor.5/8003
[  206.339898][ T8003] caller is sk_mc_loop+0x1d/0x210
[  206.344941][ T8003] CPU: 0 PID: 8003 Comm: syz-executor.5 Not tainted 5.1.0-rc3-next-20190405 #19
[  206.353959][ T8003] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  206.364011][ T8003] Call Trace:
[  206.367309][ T8003]  dump_stack+0x172/0x1f0
[  206.371657][ T8003]  __this_cpu_preempt_check+0x246/0x270
[  206.377218][ T8003]  sk_mc_loop+0x1d/0x210
[  206.381473][ T8003]  ip_mc_output+0x2ef/0xf70
[  206.385993][ T8003]  ? __ip_queue_xmit+0x1bf0/0x1bf0
[  206.391120][ T8003]  ? ip_append_data.part.0+0x170/0x170
[  206.396606][ T8003]  ? ip_make_skb+0x1b1/0x2c0
[  206.401196][ T8003]  ? ip_reply_glue_bits+0xc0/0xc0
[  206.406209][ T8003]  ip_local_out+0xc4/0x1b0
[  206.410612][ T8003]  ip_send_skb+0x42/0xf0
[  206.414869][ T8003]  udp_send_skb.isra.0+0x6b2/0x1180
[  206.420060][ T8003]  ? xfrm_lookup_route+0x5b/0x1f0
[  206.425076][ T8003]  udp_sendmsg+0x1dfd/0x2820
[  206.429682][ T8003]  ? ip_reply_glue_bits+0xc0/0xc0
[  206.434697][ T8003]  ? udp4_lib_lookup_skb+0x440/0x440
[  206.439973][ T8003]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[  206.445680][ T8003]  ? find_next_and_bit+0x19a/0x200
[  206.450784][ T8003]  ? __lock_acquire+0x548/0x3fb0
[  206.455717][ T8003]  udpv6_sendmsg+0x13a4/0x28d0
[  206.460469][ T8003]  ? udpv6_sendmsg+0x13a4/0x28d0
[  206.465399][ T8003]  ? udp6_unicast_rcv_skb.isra.0+0x2f0/0x2f0
[  206.471371][ T8003]  ? aa_profile_af_perm+0x320/0x320
[  206.476563][ T8003]  ? __might_fault+0x12b/0x1e0
[  206.481331][ T8003]  ? find_held_lock+0x35/0x130
[  206.486081][ T8003]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  206.492487][ T8003]  ? rw_copy_check_uvector+0x2a6/0x330
[  206.497960][ T8003]  ? ___might_sleep+0x163/0x280
[  206.502825][ T8003]  ? __might_sleep+0x95/0x190
[  206.507492][ T8003]  ? debug_lockdep_rcu_enabled+0x71/0xa0
[  206.513153][ T8003]  ? aa_sk_perm+0x288/0x880
[  206.517647][ T8003]  ? aa_sock_msg_perm.isra.0+0xba/0x170
[  206.523267][ T8003]  inet_sendmsg+0x147/0x5e0
[  206.527757][ T8003]  ? udp6_unicast_rcv_skb.isra.0+0x2f0/0x2f0
[  206.533717][ T8003]  ? inet_sendmsg+0x147/0x5e0
[  206.538381][ T8003]  ? ipip_gro_receive+0x100/0x100
[  206.543391][ T8003]  sock_sendmsg+0xdd/0x130
[  206.547797][ T8003]  ___sys_sendmsg+0x3e2/0x930
[  206.552461][ T8003]  ? copy_msghdr_from_user+0x430/0x430
[  206.557935][ T8003]  ? __lock_acquire+0x548/0x3fb0
[  206.562858][ T8003]  ? lock_downgrade+0x880/0x880
[  206.567693][ T8003]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  206.573944][ T8003]  ? kasan_check_read+0x11/0x20
[  206.578784][ T8003]  ? __might_fault+0x12b/0x1e0
[  206.583547][ T8003]  ? find_held_lock+0x35/0x130
[  206.588320][ T8003]  ? __might_fault+0x12b/0x1e0
[  206.593070][ T8003]  ? lock_downgrade+0x880/0x880
[  206.597933][ T8003]  ? ___might_sleep+0x163/0x280
[  206.602805][ T8003]  __sys_sendmmsg+0x1bf/0x4d0
[  206.607472][ T8003]  ? __ia32_sys_sendmsg+0xb0/0xb0
[  206.612484][ T8003]  ? _copy_to_user+0xc9/0x120
[  206.617147][ T8003]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  206.623370][ T8003]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  206.629620][ T8003]  ? put_timespec64+0xda/0x140
[  206.634376][ T8003]  ? nsecs_to_jiffies+0x30/0x30
[  206.639219][ T8003]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  206.644665][ T8003]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  206.650121][ T8003]  ? do_syscall_64+0x26/0x610
[  206.654785][ T8003]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  206.660834][ T8003]  ? do_syscall_64+0x26/0x610
[  206.665496][ T8003]  __x64_sys_sendmmsg+0x9d/0x100
[  206.670428][ T8003]  do_syscall_64+0x103/0x610
[  206.680717][ T8003]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  206.686796][ T8003] RIP: 0033:0x4582b9
[  206.690762][ T8003] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  206.710666][ T8003] RSP: 002b:00007f1ae77ecc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[  206.719087][ T8003] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582b9
[  206.727068][ T8003] RDX: 0400000000000174 RSI: 00000000200002c0 RDI: 0000000000000003
[  206.735051][ T8003] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
[  206.743030][ T8003] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ae77ed6d4
[  206.751011][ T8003] R13: 00000000004c5230 R14: 00000000004d9380 R15: 00000000ffffffff
[  206.764442][ T8005] BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor.5/8005
[  206.776039][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  206.776105][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  206.779278][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  206.779325][    C1] protocol 88fb is buggy, dev hsr_slave_1
[  206.803482][ T8005] caller is sk_mc_loop+0x1d/0x210
[  206.808711][ T8005] CPU: 1 PID: 8005 Comm: syz-executor.5 Not tainted 5.1.0-rc3-next-20190405 #19
[  206.817746][ T8005] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  206.828763][ T8005] Call Trace:
[  206.832254][ T8005]  dump_stack+0x172/0x1f0
[  206.836711][ T8005]  __this_cpu_preempt_check+0x246/0x270
[  206.843179][ T8005]  sk_mc_loop+0x1d/0x210
[  206.849014][ T8005]  ip_mc_output+0x2ef/0xf70
[  206.854529][ T8005]  ? __ip_queue_xmit+0x1bf0/0x1bf0
[  206.864519][ T8005]  ? ip_append_data.part.0+0x170/0x170
[  206.879588][ T8005]  ? ip_make_skb+0x1b1/0x2c0
[  206.884855][ T8005]  ? ip_reply_glue_bits+0xc0/0xc0
[  206.889996][ T8005]  ip_local_out+0xc4/0x1b0
[  206.894445][ T8005]  ip_send_skb+0x42/0xf0
[  206.898704][ T8005]  udp_send_skb.isra.0+0x6b2/0x1180
[  206.903893][ T8005]  ? xfrm_lookup_route+0x5b/0x1f0
[  206.908932][ T8005]  udp_sendmsg+0x1dfd/0x2820
[  206.913534][ T8005]  ? find_held_lock+0x35/0x130
[  206.918303][ T8005]  ? ip_reply_glue_bits+0xc0/0xc0
[  206.923326][ T8005]  ? udp4_lib_lookup_skb+0x440/0x440
[  206.928632][ T8005]  ? kasan_check_read+0x11/0x20
[  206.933583][ T8005]  ? is_bpf_text_address+0xd3/0x170
[  206.938835][ T8005]  udpv6_sendmsg+0x13a4/0x28d0
[  206.943603][ T8005]  ? udpv6_sendmsg+0x13a4/0x28d0
[  206.948810][ T8005]  ? udp6_unicast_rcv_skb.isra.0+0x2f0/0x2f0
[  206.954842][ T8005]  ? aa_profile_af_perm+0x320/0x320
[  206.960161][ T8005]  ? __might_fault+0x12b/0x1e0
[  206.964926][ T8005]  ? find_held_lock+0x35/0x130
[  206.969697][ T8005]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  206.975938][ T8005]  ? rw_copy_check_uvector+0x2a6/0x330
[  206.981408][ T8005]  ? ___might_sleep+0x163/0x280
[  206.986424][ T8005]  ? __might_sleep+0x95/0x190
[  206.991107][ T8005]  ? debug_lockdep_rcu_enabled+0x71/0xa0
[  206.996739][ T8005]  ? aa_sk_perm+0x288/0x880
[  207.001235][ T8005]  ? aa_sock_msg_perm.isra.0+0xba/0x170
[  207.006766][ T8005]  inet_sendmsg+0x147/0x5e0
[  207.011318][ T8005]  ? udp6_unicast_rcv_skb.isra.0+0x2f0/0x2f0
[  207.017297][ T8005]  ? inet_sendmsg+0x147/0x5e0
[  207.021981][ T8005]  ? ipip_gro_receive+0x100/0x100
[  207.027112][ T8005]  sock_sendmsg+0xdd/0x130
[  207.031633][ T8005]  ___sys_sendmsg+0x3e2/0x930
[  207.036330][ T8005]  ? copy_msghdr_from_user+0x430/0x430
[  207.041787][ T8005]  ? lock_downgrade+0x880/0x880
[  207.046633][ T8005]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  207.052886][ T8005]  ? kasan_check_read+0x11/0x20
[  207.057746][ T8005]  ? __fget+0x381/0x550
[  207.061895][ T8005]  ? ksys_dup3+0x3e0/0x3e0
[  207.067419][ T8005]  ? __fget_light+0x1a9/0x230
[  207.072104][ T8005]  ? __fdget+0x1b/0x20
[  207.076172][ T8005]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  207.082435][ T8005]  ? sockfd_lookup_light+0xcb/0x180
[  207.087627][ T8005]  __sys_sendmmsg+0x1bf/0x4d0
[  207.092308][ T8005]  ? __ia32_sys_sendmsg+0xb0/0xb0
[  207.097336][ T8005]  ? _copy_to_user+0xc9/0x120
[  207.102001][ T8005]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  207.108243][ T8005]  ? put_timespec64+0xda/0x140
[  207.113030][ T8005]  ? nsecs_to_jiffies+0x30/0x30
[  207.117887][ T8005]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  207.123332][ T8005]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  207.128778][ T8005]  ? do_syscall_64+0x26/0x610
[  207.133481][ T8005]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  207.139561][ T8005]  ? do_syscall_64+0x26/0x610
[  207.144251][ T8005]  __x64_sys_sendmmsg+0x9d/0x100
[  207.149193][ T8005]  do_syscall_64+0x103/0x610
[  207.153800][ T8005]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  207.159706][ T8005] RIP: 0033:0x4582b9
[  207.163627][ T8005] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  207.184105][ T8005] RSP: 002b:00007f1ae77cbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[  207.192613][ T8005] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582b9
[  207.200591][ T8005] RDX: 0400000000000174 RSI: 00000000200002c0 RDI: 0000000000000005
[  207.208590][ T8005] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000
[  207.216564][ T8005] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ae77cc6d4
[  207.224527][ T8005] R13: 00000000004c5230 R14: 00000000004d9380 R15: 00000000ffffffff
[  207.240246][    C1] protocol 88fb is buggy, dev hsr_slave_0
[  207.246045][    C1] protocol 88fb is buggy, dev hsr_slave_1
14:49:01 executing program 5:
syz_emit_ethernet(0x1, &(0x7f0000000040)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd60f5f5ae0030670000000000000000000000ffffac9c14aaff02000000000000000000000000000102009078000000006081a8bf000000000000000000000000000000000000000100000000000000000000000000000001"], 0x0)

14:49:01 executing program 0:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070")
r1 = syz_open_dev$sndctrl(&(0x7f0000006000)='/dev/snd/controlC#\x00', 0x0, 0x0)
ioctl$SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE(r1, 0x40045532, &(0x7f00000001c0))
openat$audio(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/audio\x00', 0x0, 0x0)

14:49:01 executing program 2:
r0 = syz_open_dev$binder(&(0x7f0000001440)='/dev/binder#\x00', 0xffffffffffffffff, 0x802)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000001a00)={0x0, 0x0, 0x0, 0x1, 0x0, &(0x7f0000001a80)='L'})

14:49:01 executing program 1:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$inet_tcp_int(r0, 0x6, 0x10000000013, &(0x7f0000d06000)=0x1, 0x4)
setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000000)='veth1\x00', 0x10)
connect$inet(r0, &(0x7f00000000c0)={0x2, 0x0, @local}, 0x10)
setsockopt$inet_tcp_int(r0, 0x6, 0x4000000000013, &(0x7f0000000180), 0x4)
sendmmsg(r0, &(0x7f000000c780)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000004880)=[{0x10, 0x1}], 0x10}}], 0x1, 0x40)

14:49:01 executing program 4:
r0 = socket$inet6_sctp(0xa, 0x10000000005, 0x84)
getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r0, 0x84, 0x1d, &(0x7f000095dff8)=ANY=[@ANYBLOB='\a\x00\x00\x00', @ANYRES32=<r1=>0x0], 0x0)
setsockopt$inet_sctp6_SCTP_MAX_BURST(r0, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={r1}, 0x8)

14:49:01 executing program 3:
socket$inet6(0xa, 0x3, 0x6)
fdatasync(0xffffffffffffff9c)
socket$inet6(0xa, 0x1000000000002, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
sendmsg$IPVS_CMD_DEL_DEST(0xffffffffffffffff, &(0x7f0000000580)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x4}, 0xc, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="9287b748246deeca588edacd5c1cc596a848a41b96d72d9ff1ffcd245d4623bea592fa911a59141ad79770daa350bbd501b4cb95cf19700700000000000000625d08ef137426f4997e282f68591512c4636d34e1d3cc668e8b4f8843a8485590d2eacc2773f295290a92d6f061f3d87a22968a81d80da9a6c39f5c7aa09f49456049763d7bb11d1171be83d26f047ce47c565dbf107ab9605a473e04c7e779a0c244ca4388df158abb"], 0x1}, 0x1, 0x0, 0x0, 0x90}, 0xfffffffffffffffd)
r0 = socket$inet6(0xa, 0x6, 0x0)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20}, 0x1c)
r1 = socket$inet_dccp(0x2, 0x6, 0x0)
listen(r0, 0x6)
setsockopt(r1, 0x10d, 0x800000000d, &(0x7f00001c9fff)="03", 0x1)
connect$inet(r1, &(0x7f0000e5c000)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x20}}, 0x10)
r2 = accept(r0, 0x0, &(0x7f00000001c0)=0x281)
sendmmsg(r1, &(0x7f0000005700)=[{{&(0x7f0000003900)=@pptp, 0x80, &(0x7f0000003b80), 0x3a5, &(0x7f0000003bc0), 0x72}}], 0x3a6, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000100)='erspan0\x00', 0xfc)
sendmmsg(r1, &(0x7f000000a080)=[{{&(0x7f0000005440)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x2, {0xa, 0x0, 0x0, @ipv4={[], [], @local}}}}, 0x80, &(0x7f0000005640)=[{&(0x7f00000097c0)="bf", 0x1}], 0x1, 0x0, 0x0, 0x1}}], 0x1, 0x0)

14:49:01 executing program 1:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070")
r1 = bpf$MAP_CREATE(0x0, &(0x7f00000001c0)={0x14, 0x4, 0x4, 0x7}, 0x2c)
bpf$MAP_LOOKUP_ELEM(0x4, &(0x7f0000000040)={r1, &(0x7f0000000000), 0x0}, 0x18)

14:49:01 executing program 2:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3)
bind$bt_l2cap(r0, &(0x7f00000000c0), 0xe)
listen(r0, 0x0)
setsockopt$sock_linger(r0, 0x1, 0xd, &(0x7f0000000000)={0x1, 0x1000}, 0x8)
shutdown(r0, 0x0)

14:49:01 executing program 4:
clone(0x8000003002001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = gettid()
wait4(0x0, 0x0, 0x80000000, 0x0)
ptrace$setopts(0x4206, r0, 0x0, 0x0)
tkill(r0, 0x38)
ptrace$cont(0x18, r0, 0x0, 0x0)
r1 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070")
syz_emit_ethernet(0x0, 0x0, 0x0)
ioctl$BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, &(0x7f00000000c0)={[], 0x0, 0x0, 0x0, 0x0, 0xa9})
ptrace$setregs(0xd, r0, 0x0, &(0x7f0000000080))
ptrace$cont(0x20, r0, 0x0, 0x0)

14:49:01 executing program 5:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000000c0)='memory.events\x00', 0x26e1, 0x0)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='memory.events\x00', 0x7a05, 0x1700)
write$cgroup_subtree(r0, &(0x7f0000000680)=ANY=[@ANYRES32=r1], 0x4)
write$cgroup_subtree(r1, &(0x7f0000000000)=ANY=[], 0xfffffcbe)
getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(r0, 0x84, 0x75, &(0x7f0000000100)={<r2=>0x0, 0x2}, &(0x7f00000001c0)=0x8)
getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r1, 0x84, 0x77, &(0x7f0000000200)={r2, 0x3b32, 0x4, [0x8, 0xfffffffffffffffb, 0x9, 0x1f]}, &(0x7f00000002c0)=0x10)
sendmsg$TIPC_CMD_SET_LINK_PRI(r1, &(0x7f0000000600)={&(0x7f00000004c0)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f00000005c0)={&(0x7f0000000580)={0x30, 0x0, 0x320, 0x70bd26, 0x25dfdbfe, {{}, 0x0, 0x4108, 0x0, {0x14, 0x18, {0x80, @bearer=@udp='udp:syz0\x00'}}}, [""]}, 0x30}, 0x1, 0x0, 0x0, 0x4000004}, 0x24000090)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000540)='memory.events\x00', 0x0, 0x0)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$nl_netfilter(r4, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000180)=ANY=[@ANYBLOB="140000000301ffff808fdb003d88c8f00010ae1b"], 0x14}}, 0x0)
recvmmsg(r4, &(0x7f00000013c0), 0x4a5, 0x200002, &(0x7f0000000c40)={0x77359400})
getsockopt$sock_int(r4, 0x1, 0x3c, &(0x7f0000000300), &(0x7f0000000340)=0x4)
epoll_ctl$EPOLL_CTL_MOD(r1, 0x3, r3, &(0x7f00000006c0)={0x20000000})
getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000000380)={{{@in=@dev, @in6=@dev}}, {{@in6}, 0x0, @in=@loopback}}, &(0x7f0000000480)=0xe8)

14:49:01 executing program 0:
perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0xee67, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
clone(0xbfff, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = gettid()
r1 = creat(&(0x7f0000000140)='./bus\x00', 0x0)
ioctl$EXT4_IOC_GROUP_ADD(r1, 0x40286608, &(0x7f0000000000))
ptrace$setopts(0x4206, r0, 0x0, 0x0)
tkill(r0, 0x17)
wait4(0x0, 0x0, 0x0, 0x0)

14:49:01 executing program 4:
bind$alg(0xffffffffffffffff, 0x0, 0x0)
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f00000001c0))
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
openat$rfkill(0xffffffffffffff9c, 0x0, 0x0, 0x0)
sendmsg$SEG6_CMD_GET_TUNSRC(0xffffffffffffffff, 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000005fd4)=[@acquire_done={0x40486311}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper], 0x1, 0x0, &(0x7f0000000040)="f0"})
setsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, 0x0, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0x4c, 0x0, &(0x7f0000000300)=[@reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

14:49:01 executing program 2:
r0 = socket$inet_tcp(0x2, 0x1, 0x0)
ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000040)={'sit0\x00'})
socketpair(0x0, 0x0, 0x0, 0x0)
ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xfe\x00\x00\x00\x00\x00\xc0\xfe\a\x00', 0x141})

[  207.598421][ T8041] EXT4-fs warning (device sda1): ext4_group_add:1643: No reserved GDT blocks, can't resize
[  207.630701][ T8043] EXT4-fs warning (device sda1): ext4_group_add:1643: No reserved GDT blocks, can't resize
14:49:01 executing program 1:
r0 = socket(0x2, 0x1, 0x0)
listen(r0, 0x0)
r1 = epoll_create1(0x0)
epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r0, &(0x7f0000009ff4))
accept4(r0, 0x0, 0x0, 0x0)
epoll_wait(r1, &(0x7f000000cff0)=[{}], 0x1, 0xfffffffffffffff7)
shutdown(r0, 0x0)

[  207.720016][ T8048] binder: 8046:8048 ERROR: BC_REGISTER_LOOPER called without request
[  207.744194][ T8048] binder: 8046:8048 ioctl c018620b 0 returned -14
[  207.755181][ T8048] binder_alloc: 8046: binder_alloc_buf, no vma
14:49:01 executing program 0:
r0 = socket$packet(0x11, 0x100000000000003, 0x300)
setsockopt$packet_int(r0, 0x107, 0xf, &(0x7f0000006ffc)=0x200, 0xfe61)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000004500)={'bridge0\x00', <r1=>0x0})
bind$packet(r0, &(0x7f0000000640)={0x11, 0x0, r1, 0x1, 0x0, 0x6, @random="32cae4783d32"}, 0x14)
sendto$inet6(r0, &(0x7f0000000100)="050300000300000000000000c52cf7c21975e697b02f08066b2b2ff0dac8897c6b1187dc13e973a13dd84f04ca1e6d886b6621d8d217cc21e5c8a986f99f4b07d099369a900002aaff41a396f5bad192bcf5cf74755f97fee2b1849884aff2a9b47fac839b362d1393a60c472d24eb19db02bff75cd9c3625ea9da2d78eb600d73fd0b4d01a620ea250619f06765752199e3ae3367c8b7a2a3ab2e1ec40fe7af714c806b5e866bb20f0d298c9566aaf9551c7908de2ed285f414af9f32fcd32000ac8f2457ba0d9159f9e945e8df0b7ca79000e48cf839080d3108355020a5cb57d6933c8384612d250e025e0ff13768c2dbe79834a4b8687891d58b18314b52c7caa3c4847139c1407e1ad3a40b2eeafe2a91d855b29f546b339d1c32fc652c68a83d0973b44c1d801aa3036680c948d1c1f4451e9c96686c248b70b719bed51c38a9257c5ff4700200"/343, 0x157, 0x0, 0x0, 0x0)

[  207.772702][ T8048] binder: 8046:8048 transaction failed 29189/-3, size 0-0 line 3148
[  207.810761][ T8048] binder: send failed reply for transaction 6 to 8046:8048
[  207.843790][ T8061] binder_alloc: binder_alloc_mmap_handler: 8046 20001000-20004000 already mapped failed -16
[  207.879700][ T8060] binder: BINDER_SET_CONTEXT_MGR already set
[  207.894839][ T8060] binder: 8046:8060 ioctl 40046207 0 returned -16
[  207.917743][ T8061] binder_alloc: 8046: binder_alloc_buf, no vma
14:49:01 executing program 1:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000000)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_TIOCINQ(0xffffffffffffffff, 0x541b, 0x0)
dup2(r0, r1)
setsockopt$inet6_MCAST_LEAVE_GROUP(0xffffffffffffffff, 0x29, 0x2d, 0x0, 0xffffffffffffffd1)
recvfrom$unix(r0, &(0x7f00000001c0)=""/94, 0x5e, 0x100, 0x0, 0x0)

14:49:01 executing program 0:
perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000080)={0xffffffffffffffff, 0x0, &(0x7f0000000140)="40c74adc7724e27d876f441d952bf111375896d876c4ed0f2e703cd5f8b64ff3cd946b507daea1c09fc1fe6c"}, 0x20)
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400)='/dev/net/tun\x00', 0x2, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000180)={'nr0\x01\x00', 0x4009})
bpf$BPF_PROG_GET_NEXT_ID(0xb, 0x0, 0x0)
ioctl$TUNSETVNETHDRSZ(0xffffffffffffffff, 0x400454d8, 0x0)
write$cgroup_subtree(r0, &(0x7f00000000c0)={[{0x0, 'c\x86\xdd', 0x8}]}, 0xfdef)

[  207.942696][ T8055] device sit0 entered promiscuous mode
[  207.955984][ T8061] binder: 8046:8061 transaction failed 29189/-3, size 0-0 line 3148
[  208.007073][ T8048] binder: 8046:8048 ioctl c018620b 0 returned -14
[  208.031880][ T8068] binder: 8046:8068 got reply transaction with no transaction stack
[  208.073630][ T8068] binder: 8046:8068 transaction failed 29201/-71, size 0-0 line 2900
14:49:01 executing program 3:
socket$inet6(0xa, 0x3, 0x6)
fdatasync(0xffffffffffffff9c)
socket$inet6(0xa, 0x1000000000002, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
sendmsg$IPVS_CMD_DEL_DEST(0xffffffffffffffff, &(0x7f0000000580)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x4}, 0xc, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="9287b748246deeca588edacd5c1cc596a848a41b96d72d9ff1ffcd245d4623bea592fa911a59141ad79770daa350bbd501b4cb95cf19700700000000000000625d08ef137426f4997e282f68591512c4636d34e1d3cc668e8b4f8843a8485590d2eacc2773f295290a92d6f061f3d87a22968a81d80da9a6c39f5c7aa09f49456049763d7bb11d1171be83d26f047ce47c565dbf107ab9605a473e04c7e779a0c244ca4388df158abb"], 0x1}, 0x1, 0x0, 0x0, 0x90}, 0xfffffffffffffffd)
r0 = socket$inet6(0xa, 0x6, 0x0)
bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20}, 0x1c)
r1 = socket$inet_dccp(0x2, 0x6, 0x0)
listen(r0, 0x6)
setsockopt(r1, 0x10d, 0x800000000d, &(0x7f00001c9fff)="03", 0x1)
connect$inet(r1, &(0x7f0000e5c000)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x20}}, 0x10)
r2 = accept(r0, 0x0, &(0x7f00000001c0)=0x281)
sendmmsg(r1, &(0x7f0000005700)=[{{&(0x7f0000003900)=@pptp, 0x80, &(0x7f0000003b80), 0x3a5, &(0x7f0000003bc0), 0x72}}], 0x3a6, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000100)='erspan0\x00', 0xfc)
sendmmsg(r1, &(0x7f000000a080)=[{{&(0x7f0000005440)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x2, {0xa, 0x0, 0x0, @ipv4={[], [], @local}}}}, 0x80, &(0x7f0000005640)=[{&(0x7f00000097c0)="bf", 0x1}], 0x1, 0x0, 0x0, 0x1}}], 0x1, 0x0)

14:49:01 executing program 1:
bind$alg(0xffffffffffffffff, 0x0, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0)='/dev/rfkill\x00', 0x0, 0x0)
sendmsg$SEG6_CMD_GET_TUNSRC(0xffffffffffffffff, 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000005fd4)=[@acquire_done={0x40486311}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper], 0x1, 0x0, &(0x7f0000000040)="f0"})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0x4c, 0x0, &(0x7f0000000300)=[@reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

14:49:01 executing program 4:
bind$alg(0xffffffffffffffff, 0x0, 0x0)
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f00000001c0))
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
openat$rfkill(0xffffffffffffff9c, 0x0, 0x0, 0x0)
sendmsg$SEG6_CMD_GET_TUNSRC(0xffffffffffffffff, 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000005fd4)=[@acquire_done={0x40486311}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper], 0x1, 0x0, &(0x7f0000000040)="f0"})
setsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, 0x0, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0x4c, 0x0, &(0x7f0000000300)=[@reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  208.255569][ T8081] binder: BINDER_SET_CONTEXT_MGR already set
[  208.293626][ T8081] binder: 8079:8081 ioctl 40046207 0 returned -16
[  208.312218][ T8084] binder_alloc: 8046: binder_alloc_buf, no vma
[  208.316795][ T8078] binder: BINDER_SET_CONTEXT_MGR already set
[  208.333611][ T8084] binder: 8079:8084 transaction failed 29189/-3, size 0-0 line 3148
[  208.368267][ T8078] binder: 8077:8078 ioctl 40046207 0 returned -16
[  208.369170][ T8085] binder_alloc: 8046: binder_alloc_buf, no vma
[  208.381464][ T8081] binder: 8079:8081 ERROR: BC_REGISTER_LOOPER called without request
[  208.411226][ T8078] binder: 8077:8078 ERROR: BC_REGISTER_LOOPER called without request
[  208.423502][ T8085] binder: 8077:8085 transaction failed 29189/-3, size 0-0 line 3148
[  208.445730][ T8084] binder: 8079:8084 ioctl c018620b 0 returned -14
[  208.464880][ T8085] binder: 8077:8085 got reply transaction with no transaction stack
[  208.475685][ T8085] binder: 8077:8085 transaction failed 29201/-71, size 0-0 line 2900
[  208.494114][ T8084] binder: 8079:8084 got reply transaction with no transaction stack
[  208.508318][ T8084] binder: 8079:8084 transaction failed 29201/-71, size 0-0 line 2900
14:49:02 executing program 5:
ioctl$SG_GET_PACK_ID(0xffffffffffffffff, 0x227c, &(0x7f0000000180))
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10)
r1 = openat$full(0xffffffffffffff9c, 0x0, 0x800, 0x0)
r2 = accept$alg(r0, 0x0, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffffff, 0x8933, &(0x7f0000000340)={'vcan0\x00'})
sendmsg$alg(r2, &(0x7f0000001380)={0x0, 0x0, 0x0, 0x0, &(0x7f00000000c0)=[@op={0x18, 0x117, 0x3, 0x1}, @assoc={0x18, 0x117, 0x4, 0x2f5}], 0x30}, 0x0)
write$binfmt_script(r2, &(0x7f0000000600)=ANY=[], 0xfec8)
recvmmsg(r2, &(0x7f0000007e00)=[{{&(0x7f0000001240)=@alg, 0x80, &(0x7f0000004700)=[{&(0x7f00000012c0)=""/167, 0xf}, {&(0x7f00000023c0)=""/49, 0x200023f1}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x3, &(0x7f0000004780)=""/245, 0xf5}}], 0x30, 0x0, &(0x7f0000008000)={0x0, 0x989680})
ioctl$KVM_PPC_GET_PVINFO(r1, 0x4080aea1, &(0x7f0000000100)=""/4)

[  208.600340][   T26] kauditd_printk_skb: 743 callbacks suppressed
[  208.600353][   T26] audit: type=1800 audit(1554648542.294:40): pid=8058 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor.5" name="memory.events" dev="sda1" ino=16545 res=0
[  208.765551][ T7921] binder: undelivered TRANSACTION_ERROR: 29189
[  208.771944][ T8053] device sit0 left promiscuous mode
[  208.779376][ T7921] binder: undelivered TRANSACTION_ERROR: 29201
[  208.785882][ T7921] binder: undelivered TRANSACTION_COMPLETE
[  208.809008][ T7921] binder: undelivered TRANSACTION_ERROR: 29189
14:49:02 executing program 5:
socket$inet(0x2, 0x3, 0x7)
r0 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$nl_generic(r0, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee667f000001fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0)

14:49:02 executing program 2:
r0 = socket$inet(0x2, 0x1, 0x0)
bind$inet(r0, &(0x7f0000000000)={0x2, 0x4e23, @local}, 0x10)
sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23}, 0x10)
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0)
timer_create(0x0, 0x0, 0x0)
times(0x0)
syz_open_procfs(0x0, 0x0)
fcntl$getown(0xffffffffffffffff, 0x9)
tkill(0x0, 0x0)
sendmsg(0xffffffffffffffff, 0x0, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
preadv(0xffffffffffffffff, 0x0, 0x0, 0x0)
fcntl$dupfd(0xffffffffffffffff, 0x0, 0xffffffffffffffff)
ioctl$EVIOCGPROP(0xffffffffffffffff, 0x80404509, 0x0)
timer_create(0x0, 0x0, 0x0)
syz_extract_tcp_res(0x0, 0x0, 0x0)
timer_create(0x0, 0x0, 0x0)
timer_create(0x0, 0x0, 0x0)
timer_create(0x0, 0x0, 0x0)
timer_create(0x0, 0x0, 0x0)
timer_create(0x0, 0x0, 0x0)
timer_delete(0x0)
syz_open_procfs(0x0, 0x0)
ioctl$TUNSETVNETLE(0xffffffffffffffff, 0x400454dc, 0x0)
setsockopt$inet_tcp_TCP_FASTOPEN_KEY(0xffffffffffffffff, 0x6, 0x21, 0x0, 0xffffffffffffff69)
ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, 0x0)
r2 = syz_open_procfs(0x0, &(0x7f0000000400)='net/tcp\x00\xcdWq\xe9*\a4g\a^\x90\xb6\xe4kH2\x80/\x88\xb6\xbb\xeb`\xb8@#\x83tH\xae\xa4y\x1d\\]\x93\x93\xb5e\xd9\xd4\xb8A# \xc8*s\xd0g>\x16\xabM\x7foK\xec\x17f\xb9x\x11\xbf\xab\x16\xc5\xcb\x94\xff\x1c\xa0\x01\xb3I\x1c\xb9\xcc\xbb\xbe\x9c\xd0!\x13\xe1\xbc.\xfaG3\x85\xe0,')
sendfile(r0, r2, &(0x7f0000000080), 0x80000003)

14:49:02 executing program 5:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f00000000c0)=0x100000001, 0x1d4)
connect$inet6(r0, &(0x7f0000000080), 0x1c)
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000003c80)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000140)=ANY=[@ANYBLOB], 0x1}, 0x8}, 0x0)
setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f0000000040)='tls\x00', 0x4)
setsockopt$inet6_tcp_TLS_TX(r0, 0x11a, 0x2, &(0x7f0000000100), 0x28)
recvmmsg(r0, &(0x7f0000002fc0)=[{{0x0, 0x0, &(0x7f0000002a80)=[{&(0x7f0000000280)=""/124, 0x7c}], 0x1}}], 0x1, 0x0, 0x0)
shutdown(r0, 0x0)

[  209.031717][ T8085] binder_alloc: binder_alloc_mmap_handler: 8077 20001000-20004000 already mapped failed -16
14:49:02 executing program 4:
r0 = socket(0x4000000000010, 0x80002, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)=@newlink={0x38, 0x10, 0xf0b, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x18, 0x12, @gre={{0x8, 0x1, 'gre\x00'}, {0xc, 0x2, [@IFLA_GRE_LOCAL={0x8, 0x2}]}}}]}, 0x38}}, 0x0)
sendmmsg$alg(r0, &(0x7f0000000140), 0x4924924924928bb, 0x0)

14:49:02 executing program 3:
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = openat$cgroup(0xffffffffffffff9c, &(0x7f00000002c0)='syz1\x00', 0x200002, 0x0)
r1 = openat$cgroup_ro(r0, 0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000300))
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x100}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000180)='memory.events\x00', 0x26e1, 0x0)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x7a05, 0x1700)
ioctl$TUNGETSNDBUF(r1, 0x800454d3, 0x0)
bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000600)={r1, 0xc0, &(0x7f0000000540)={0x0, <r5=>0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000440)=0x9, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, &(0x7f0000000480)={0x0, 0x5e, 0x1, 0x3}, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000500)=0x64}}, 0x10)
bpf$BPF_PROG_GET_FD_BY_ID(0xd, &(0x7f0000000640)=r5, 0x4)
bpf$BPF_GET_BTF_INFO(0xf, &(0x7f00000008c0)={0xffffffffffffffff, 0x10, &(0x7f0000000880)={&(0x7f0000000240)=""/15, 0xf}}, 0x10)
r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='memory.events\x00', 0x7a05, 0x1700)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x44a95, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x80)
write$cgroup_subtree(r3, &(0x7f0000000540)=ANY=[], 0x22b5)
ioctl$PERF_EVENT_IOC_PERIOD(r6, 0x4030582a, &(0x7f0000000040))
write$cgroup_pid(r4, &(0x7f0000000000), 0x200)
openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x7a05, 0x1700)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000200)={<r7=>0x0, r2, 0x0, 0x2, &(0x7f0000000100)=']\x00', <r8=>0xffffffffffffffff}, 0x30)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000280)={0x0, r2, 0x0, 0x2, &(0x7f00000000c0)=':\x00', r8}, 0x30)
perf_event_open(&(0x7f00000006c0)={0x2, 0x70, 0x0, 0x422641d6, 0x100, 0x5, 0x0, 0x3ff, 0x80400, 0x0, 0x3, 0x0, 0x3, 0x4, 0x1, 0x0, 0x1067, 0x0, 0x6, 0x3, 0x2, 0x3, 0x5, 0x80000000, 0xffffffffffff2022, 0x4, 0x0, 0x160, 0x3, 0xbb, 0x0, 0x4, 0x40, 0x0, 0x5, 0x10001, 0xb5e3, 0x0, 0x0, 0x5, 0x4, @perf_config_ext={0x5, 0x7}, 0x4, 0x8, 0x6, 0x7, 0x1, 0x101, 0x1}, r7, 0xffffffffffffffff, r1, 0x2)
perf_event_open(&(0x7f00000003c0)={0x3, 0x70, 0x0, 0x4f1, 0x9, 0x0, 0x0, 0x0, 0x4000, 0xc, 0x497, 0x4ba, 0x9, 0x1, 0x5, 0x4, 0x7, 0x96, 0x1000, 0x1ff, 0x8, 0x0, 0x0, 0xff, 0x1ff, 0x5, 0x8, 0xffffffff00000000, 0xbf, 0x4, 0x800, 0x9, 0x20, 0x9f, 0x0, 0x8, 0xcfa, 0x81, 0x0, 0xfffffffffffffffc, 0x6, @perf_bp={0x0, 0x4}, 0x1200, 0x0, 0x0, 0xf, 0x33bab925, 0x2, 0x3f}, 0x0, 0x10, 0xffffffffffffffff, 0x2)

[  209.095227][ T8104] binder_alloc: 8077: binder_alloc_buf, no vma
[  209.109456][ T8107] tls_set_device_offload_rx: netdev lo with no TLS offload
[  209.118133][ T8104] binder: 8077:8104 transaction failed 29189/-3, size 0-0 line 3148
[  209.169572][ T8085] binder: 8077:8085 ERROR: BC_REGISTER_LOOPER called without request
[  209.207005][ T8117] binder: 8077:8117 got reply transaction with no transaction stack
14:49:02 executing program 1:
bind$alg(0xffffffffffffffff, 0x0, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0)='/dev/rfkill\x00', 0x0, 0x0)
sendmsg$SEG6_CMD_GET_TUNSRC(0xffffffffffffffff, 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000005fd4)=[@acquire_done={0x40486311}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper], 0x1, 0x0, &(0x7f0000000040)="f0"})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0x4c, 0x0, &(0x7f0000000300)=[@reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  209.233044][ T8117] binder: 8077:8117 transaction failed 29201/-71, size 0-0 line 2900
[  209.348772][ T8115] netlink: 'syz-executor.4': attribute type 2 has an invalid length.
[  209.372467][ T8112] BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor.5/8112
[  209.382789][ T8112] caller is ip6_finish_output+0x335/0xdc0
[  209.388592][ T8112] CPU: 1 PID: 8112 Comm: syz-executor.5 Not tainted 5.1.0-rc3-next-20190405 #19
[  209.397628][ T8112] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  209.399279][ T8125] binder: BINDER_SET_CONTEXT_MGR already set
[  209.407695][ T8112] Call Trace:
[  209.407762][ T8112]  dump_stack+0x172/0x1f0
[  209.407791][ T8112]  __this_cpu_preempt_check+0x246/0x270
[  209.407815][ T8112]  ip6_finish_output+0x335/0xdc0
[  209.407840][ T8112]  ip6_output+0x235/0x7f0
[  209.407866][ T8112]  ? ip6_finish_output+0xdc0/0xdc0
[  209.441530][ T8112]  ? ip6_fragment+0x3980/0x3980
[  209.446417][ T8112]  ip6_xmit+0xe41/0x20c0
[  209.450692][ T8112]  ? ip6_finish_output2+0x2550/0x2550
[  209.456188][ T8112]  ? mark_held_locks+0xf0/0xf0
[  209.460974][ T8112]  ? ip6_setup_cork+0x1870/0x1870
[  209.466046][ T8112]  inet6_csk_xmit+0x2fb/0x5d0
[  209.469375][ T8125] binder: 8124:8125 ioctl 40046207 0 returned -16
[  209.470742][ T8112]  ? inet6_csk_update_pmtu+0x190/0x190
[  209.470759][ T8112]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  209.470782][ T8112]  ? csum_ipv6_magic+0x20/0x80
[  209.470821][ T8112]  __tcp_transmit_skb+0x1a32/0x3750
[  209.495196][ T8128] binder_alloc: 8077: binder_alloc_buf, no vma
[  209.498970][ T8112]  ? tcp_connect+0x1184/0x4280
[  209.498994][ T8112]  ? __tcp_select_window+0x8b0/0x8b0
[  209.499008][ T8112]  ? lockdep_hardirqs_on+0x418/0x5d0
[  209.499032][ T8112]  ? trace_hardirqs_on+0x67/0x230
[  209.499055][ T8112]  ? tcp_rbtree_insert+0x188/0x200
[  209.530897][ T8112]  tcp_connect+0x2e18/0x4280
[  209.535517][ T8112]  ? tcp_push_one+0x110/0x110
[  209.540229][ T8112]  ? secure_tcpv6_ts_off+0x24f/0x360
[  209.542529][ T8129] binder: 8124:8129 ERROR: BC_REGISTER_LOOPER called without request
[  209.545532][ T8112]  ? secure_dccpv6_sequence_number+0x280/0x280
[  209.545548][ T8112]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  209.545563][ T8112]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  209.545585][ T8112]  ? prandom_u32_state+0x13/0x180
[  209.577338][ T8112]  tcp_v6_connect+0x150b/0x20a0
[  209.582225][ T8112]  ? tcp_v6_conn_request+0x2b0/0x2b0
[  209.587599][ T8112]  __inet_stream_connect+0x83f/0xea0
[  209.592931][ T8112]  ? tcp_v6_conn_request+0x2b0/0x2b0
[  209.598290][ T8112]  ? __inet_stream_connect+0x83f/0xea0
[  209.603781][ T8112]  ? mark_held_locks+0xa4/0xf0
[  209.608677][ T8112]  ? inet_dgram_connect+0x2e0/0x2e0
[  209.613900][ T8112]  ? lock_sock_nested+0x9a/0x120
[  209.619069][ T8112]  ? trace_hardirqs_on+0x67/0x230
[  209.620731][ T8131] netlink: 'syz-executor.4': attribute type 2 has an invalid length.
[  209.624114][ T8112]  ? lock_sock_nested+0x9a/0x120
[  209.624133][ T8112]  ? __local_bh_enable_ip+0x15a/0x270
[  209.624158][ T8112]  inet_stream_connect+0x58/0xa0
[  209.624179][ T8112]  __sys_connect+0x266/0x330
[  209.624198][ T8112]  ? __ia32_sys_accept+0xb0/0xb0
[  209.624223][ T8112]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  209.656781][ T8128] binder: 8124:8128 transaction failed 29189/-3, size 0-0 line 3148
[  209.657049][ T8112]  ? put_timespec64+0xda/0x140
[  209.657076][ T8112]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  209.681928][ T8112]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  209.687413][ T8112]  ? do_syscall_64+0x26/0x610
[  209.692113][ T8112]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  209.694024][ T8125] binder: 8124:8125 got reply transaction with no transaction stack
[  209.698218][ T8112]  ? do_syscall_64+0x26/0x610
[  209.698243][ T8112]  __x64_sys_connect+0x73/0xb0
[  209.698262][ T8112]  do_syscall_64+0x103/0x610
[  209.698283][ T8112]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  209.698294][ T8112] RIP: 0033:0x4582b9
[  209.698311][ T8112] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  209.698319][ T8112] RSP: 002b:00007f1ae77cbc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[  209.698334][ T8112] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004582b9
[  209.698353][ T8112] RDX: 000000000000001c RSI: 0000000020000080 RDI: 0000000000000004
[  209.774920][ T8112] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000
[  209.782906][ T8112] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ae77cc6d4
[  209.790894][ T8112] R13: 00000000004be64c R14: 00000000004cf1e0 R15: 00000000ffffffff
14:49:03 executing program 0:
r0 = socket$inet6_udplite(0xa, 0x2, 0x88)
capset(&(0x7f0000000ac0)={0x19980330}, &(0x7f0000000b00))
r1 = add_key$user(&(0x7f0000000140)='user\x00', &(0x7f0000000180)={'syz'}, 0x0, 0x0, 0xffffffffffffffff)
getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000380)={0x0, 0x0, <r2=>0x0}, &(0x7f00000003c0)=0xc)
keyctl$chown(0x4, r1, 0x0, r2)

14:49:03 executing program 2:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
ioctl(r0, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070")
r1 = bpf$MAP_CREATE(0x0, &(0x7f00000001c0)={0x14, 0x4, 0x4, 0x7}, 0x2c)
ioctl$sock_inet_SIOCSIFDSTADDR(0xffffffffffffffff, 0x8918, &(0x7f0000000000)={'ip6_vti0\x00', {0x2, 0x0, @loopback}})
bpf$MAP_LOOKUP_ELEM(0x4, &(0x7f0000000040)={r1, &(0x7f0000000000), 0x0}, 0x18)

14:49:03 executing program 3:
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = openat$cgroup(0xffffffffffffff9c, &(0x7f00000002c0)='syz1\x00', 0x200002, 0x0)
r1 = openat$cgroup_ro(r0, 0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000300))
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x100}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000180)='memory.events\x00', 0x26e1, 0x0)
r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x7a05, 0x1700)
ioctl$TUNGETSNDBUF(r1, 0x800454d3, 0x0)
bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000600)={r1, 0xc0, &(0x7f0000000540)={0x0, <r5=>0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000440)=0x9, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, &(0x7f0000000480)={0x0, 0x5e, 0x1, 0x3}, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000500)=0x64}}, 0x10)
bpf$BPF_PROG_GET_FD_BY_ID(0xd, &(0x7f0000000640)=r5, 0x4)
bpf$BPF_GET_BTF_INFO(0xf, &(0x7f00000008c0)={0xffffffffffffffff, 0x10, &(0x7f0000000880)={&(0x7f0000000240)=""/15, 0xf}}, 0x10)
r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='memory.events\x00', 0x7a05, 0x1700)
perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x44a95, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x80)
write$cgroup_subtree(r3, &(0x7f0000000540)=ANY=[], 0x22b5)
ioctl$PERF_EVENT_IOC_PERIOD(r6, 0x4030582a, &(0x7f0000000040))
write$cgroup_pid(r4, &(0x7f0000000000), 0x200)
openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x7a05, 0x1700)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000200)={<r7=>0x0, r2, 0x0, 0x2, &(0x7f0000000100)=']\x00', <r8=>0xffffffffffffffff}, 0x30)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000280)={0x0, r2, 0x0, 0x2, &(0x7f00000000c0)=':\x00', r8}, 0x30)
perf_event_open(&(0x7f00000006c0)={0x2, 0x70, 0x0, 0x422641d6, 0x100, 0x5, 0x0, 0x3ff, 0x80400, 0x0, 0x3, 0x0, 0x3, 0x4, 0x1, 0x0, 0x1067, 0x0, 0x6, 0x3, 0x2, 0x3, 0x5, 0x80000000, 0xffffffffffff2022, 0x4, 0x0, 0x160, 0x3, 0xbb, 0x0, 0x4, 0x40, 0x0, 0x5, 0x10001, 0xb5e3, 0x0, 0x0, 0x5, 0x4, @perf_config_ext={0x5, 0x7}, 0x4, 0x8, 0x6, 0x7, 0x1, 0x101, 0x1}, r7, 0xffffffffffffffff, r1, 0x2)
perf_event_open(&(0x7f00000003c0)={0x3, 0x70, 0x0, 0x4f1, 0x9, 0x0, 0x0, 0x0, 0x4000, 0xc, 0x497, 0x4ba, 0x9, 0x1, 0x5, 0x4, 0x7, 0x96, 0x1000, 0x1ff, 0x8, 0x0, 0x0, 0xff, 0x1ff, 0x5, 0x8, 0xffffffff00000000, 0xbf, 0x4, 0x800, 0x9, 0x20, 0x9f, 0x0, 0x8, 0xcfa, 0x81, 0x0, 0xfffffffffffffffc, 0x6, @perf_bp={0x0, 0x4}, 0x1200, 0x0, 0x0, 0xf, 0x33bab925, 0x2, 0x3f}, 0x0, 0x10, 0xffffffffffffffff, 0x2)

14:49:03 executing program 0:
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0)
r2 = openat(0xffffffffffffff9c, 0x0, 0x200, 0x10)
sendmsg$SEG6_CMD_GET_TUNSRC(r2, 0x0, 0x1)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000005fd4)=[@acquire_done={0x40486311}], 0x0, 0x0, &(0x7f0000000680)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper], 0x1, 0x0, &(0x7f0000000040)="f0"})
setsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, &(0x7f0000000100)={0x0, @local, @initdev={0xac, 0x1e, 0x1, 0x0}}, 0xc)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0})

14:49:03 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0)
perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_GET_REG_LIST(0xffffffffffffffff, 0xc008aeb0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000028000/0x18000)=nil, &(0x7f0000000140)=[@textreal={0x8, 0x0}], 0x1, 0x0, 0x0, 0xffffffffffffff1d)

14:49:03 executing program 2:
mkdir(&(0x7f0000000180)='./file0\x00', 0x0)
mount(0x0, &(0x7f0000000140)='./file0\x00', &(0x7f00000001c0)='tmpfs\x00', 0x0, 0x0)
mkdir(&(0x7f0000000040)='./file0/file1\x00', 0x0)
rename(&(0x7f0000000100)='./file0/file1\x00', &(0x7f0000000240)='./file0/file0\x00')

14:49:03 executing program 4:
r0 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$nl_generic(r0, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000140)=ANY=[@ANYBLOB="48000000140007000081a31d363a15441e1068c19369c9a32c0000000000000002ff00cff97465821b0965512fe4fa59a835ee667f000001fd3953ffee03d79dc442c6bbe736864e2c42293abfaf4abb743d55a7374efe000000"], 0x1}}, 0x0)

[  210.058040][ T8147] binder_alloc: 8077: binder_alloc_buf, no vma
[  210.096427][ T8147] binder: 8146:8147 ERROR: BC_REGISTER_LOOPER called without request
14:49:03 executing program 4:
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58)
prctl$PR_GET_FP_MODE(0x2e)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10)
openat$full(0xffffffffffffff9c, 0x0, 0x800, 0x0)
clock_gettime(0x0, &(0x7f0000000900))
r1 = accept$alg(r0, 0x0, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffffff, 0x8933, &(0x7f0000000340)={'vcan0\x00'})
ioctl$SG_GET_COMMAND_Q(0xffffffffffffffff, 0x2270, &(0x7f00000002c0))
sendmsg$alg(r1, &(0x7f0000001380)={0x0, 0x0, 0x0, 0x0, &(0x7f00000000c0)=[@op={0x18, 0x117, 0x3, 0x1}, @assoc={0x18, 0x117, 0x4, 0x2f5}], 0x30}, 0x0)
write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8)
recvmmsg(r1, &(0x7f0000007e00)=[{{0x0, 0x0, &(0x7f0000004700)=[{&(0x7f00000012c0)=""/167, 0xa7}, {0x0}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x3, &(0x7f0000004780)=""/245, 0xf5}}], 0x1, 0x0, &(0x7f0000008000)={0x0, 0x989680})

[  210.177392][ T8156] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details.
[  210.200425][ T8159] binder_alloc: 8077: binder_alloc_buf, no vma
14:49:04 executing program 5:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
ioctl(r0, 0x1000008912, &(0x7f0000000080)="0adc5f123c123f319bd070")
r1 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup\x00', 0x200002, 0x0)
r2 = openat$cgroup_ro(r1, &(0x7f0000000000)='cgroup.controllers\x00', 0x275a, 0x0)
ftruncate(r2, 0x0)

14:49:04 executing program 2:
r0 = socket$inet(0xa, 0x801, 0x0)
getsockopt$ARPT_SO_GET_REVISION_TARGET(r0, 0x0, 0x63, &(0x7f0000000100)={'icmp\x00'}, &(0x7f0000000140)=0x1e)

14:49:04 executing program 0:
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0)
r2 = openat(0xffffffffffffff9c, 0x0, 0x200, 0x10)
sendmsg$SEG6_CMD_GET_TUNSRC(r2, 0x0, 0x1)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000005fd4)=[@acquire_done={0x40486311}], 0x0, 0x0, &(0x7f0000000680)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper], 0x1, 0x0, &(0x7f0000000040)="f0"})
setsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, &(0x7f0000000100)={0x0, @local, @initdev={0xac, 0x1e, 0x1, 0x0}}, 0xc)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0})

14:49:04 executing program 3:
r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
preadv(r0, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x100000000000024d, 0x0)
r1 = syz_open_procfs(0x0, &(0x7f0000000080)='cpuset\x00')
openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cachefiles\x00', 0x0, 0x0)
preadv(r1, &(0x7f0000000480), 0x1000000000000237, 0x0)

[  210.534645][ T8174] binder_alloc: 8077: binder_alloc_buf, no vma
14:49:04 executing program 4:
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58)
prctl$PR_GET_FP_MODE(0x2e)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10)
openat$full(0xffffffffffffff9c, 0x0, 0x800, 0x0)
clock_gettime(0x0, &(0x7f0000000900))
r1 = accept$alg(r0, 0x0, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffffff, 0x8933, &(0x7f0000000340)={'vcan0\x00'})
ioctl$SG_GET_COMMAND_Q(0xffffffffffffffff, 0x2270, &(0x7f00000002c0))
sendmsg$alg(r1, &(0x7f0000001380)={0x0, 0x0, 0x0, 0x0, &(0x7f00000000c0)=[@op={0x18, 0x117, 0x3, 0x1}, @assoc={0x18, 0x117, 0x4, 0x2f5}], 0x30}, 0x0)
write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8)
recvmmsg(r1, &(0x7f0000007e00)=[{{0x0, 0x0, &(0x7f0000004700)=[{&(0x7f00000012c0)=""/167, 0xa7}, {0x0}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x3, &(0x7f0000004780)=""/245, 0xf5}}], 0x1, 0x0, &(0x7f0000008000)={0x0, 0x989680})

[  210.586326][ T8174] binder: 8173:8174 ERROR: BC_REGISTER_LOOPER called without request
14:49:04 executing program 3:
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58)
prctl$PR_GET_FP_MODE(0x2e)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10)
openat$full(0xffffffffffffff9c, 0x0, 0x800, 0x0)
clock_gettime(0x0, &(0x7f0000000900))
r1 = accept$alg(r0, 0x0, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffffff, 0x8933, &(0x7f0000000340)={'vcan0\x00'})
ioctl$SG_GET_COMMAND_Q(0xffffffffffffffff, 0x2270, &(0x7f00000002c0))
sendmsg$alg(r1, &(0x7f0000001380)={0x0, 0x0, 0x0, 0x0, &(0x7f00000000c0)=[@op={0x18, 0x117, 0x3, 0x1}, @assoc={0x18, 0x117, 0x4, 0x2f5}], 0x30}, 0x0)
write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8)
recvmmsg(r1, &(0x7f0000007e00)=[{{0x0, 0x0, &(0x7f0000004700)=[{&(0x7f00000012c0)=""/167, 0xa7}, {0x0}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x3, &(0x7f0000004780)=""/245, 0xf5}}], 0x1, 0x0, &(0x7f0000008000)={0x0, 0x989680})

14:49:04 executing program 0:

14:49:04 executing program 5:
r0 = socket$inet_udp(0x2, 0x2, 0x0)
ioctl(r0, 0x1000008912, &(0x7f0000000080)="0adc5f123c123f319bd070")
r1 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup\x00', 0x200002, 0x0)
r2 = openat$cgroup_ro(r1, &(0x7f0000000000)='cgroup.controllers\x00', 0x275a, 0x0)
ftruncate(r2, 0x0)

[  211.351376][ T2888] binder: undelivered TRANSACTION_ERROR: 29189
[  211.357655][ T2888] binder: undelivered TRANSACTION_ERROR: 29189
[  211.363937][ T2888] binder: undelivered TRANSACTION_ERROR: 29189
[  211.370173][ T2888] binder: undelivered TRANSACTION_ERROR: 29201
[  211.376357][ T2888] binder: undelivered TRANSACTION_ERROR: 29189
[  211.382705][ T2888] binder: undelivered TRANSACTION_ERROR: 29201
[  211.389002][ T2888] binder: undelivered TRANSACTION_ERROR: 29189
[  211.395186][ T2888] binder: undelivered TRANSACTION_ERROR: 29201
14:49:05 executing program 1:
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10)
r1 = accept$alg(r0, 0x0, 0x0)
write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8)
recvmmsg(r1, &(0x7f0000007e00)=[{{&(0x7f0000001240)=@alg, 0x80, &(0x7f0000004700)=[{&(0x7f00000012c0)=""/167, 0xf}, {&(0x7f00000023c0)=""/49, 0x200023f1}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x3, &(0x7f0000004780)=""/245, 0xf5}}], 0x30, 0x0, &(0x7f0000008000)={0x0, 0x989680})

14:49:05 executing program 4:

14:49:05 executing program 0:

14:49:05 executing program 5:

14:49:05 executing program 3:

[  211.401475][ T2888] binder: undelivered TRANSACTION_ERROR: 29189
[  211.407729][ T2888] binder: undelivered TRANSACTION_ERROR: 29201
14:49:05 executing program 2:

14:49:05 executing program 3:

14:49:05 executing program 0:

14:49:05 executing program 4:

14:49:05 executing program 5:

14:49:05 executing program 3:

14:49:05 executing program 0:

14:49:05 executing program 1:

14:49:05 executing program 5:

14:49:05 executing program 4:

14:49:05 executing program 2:

14:49:05 executing program 4:

14:49:05 executing program 1:

14:49:05 executing program 0:

14:49:05 executing program 3:

14:49:05 executing program 5:

14:49:05 executing program 0:

14:49:05 executing program 1:

14:49:05 executing program 4:

14:49:05 executing program 5:

14:49:05 executing program 2:

14:49:05 executing program 3:

14:49:05 executing program 0:

14:49:05 executing program 1:

14:49:05 executing program 2:

14:49:05 executing program 4:

14:49:05 executing program 5:

14:49:05 executing program 3:

14:49:06 executing program 1:

14:49:06 executing program 4:

14:49:06 executing program 0:

14:49:06 executing program 2:

14:49:06 executing program 5:

14:49:06 executing program 1:

14:49:06 executing program 3:

14:49:06 executing program 4:

14:49:06 executing program 2:

14:49:06 executing program 0:

14:49:06 executing program 5:

14:49:06 executing program 3:

14:49:06 executing program 1:

14:49:06 executing program 4:

14:49:06 executing program 2:

14:49:06 executing program 5:

14:49:06 executing program 0:

14:49:06 executing program 3:

14:49:06 executing program 1:

14:49:06 executing program 4:

14:49:06 executing program 0:

14:49:06 executing program 5:

14:49:06 executing program 2:

14:49:06 executing program 3:

14:49:06 executing program 1:

14:49:06 executing program 4:

14:49:06 executing program 0:
r0 = socket$inet(0x2, 0x3, 0x6)
r1 = socket$netlink(0x10, 0x3, 0x4)
connect$inet(r0, &(0x7f0000000100)={0x2, 0x0, @empty}, 0x10)
sendmsg$nl_generic(r1, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0)

14:49:06 executing program 3:
r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ppp\x00', 0x0, 0x0)
ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0))

14:49:06 executing program 5:
perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0xee68, 0x1, 0x0, 0x0, 0x0, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$BLKTRACESTOP(0xffffffffffffffff, 0x1275, 0x0)
syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x800000000e004, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0)
r0 = open(&(0x7f0000000200)='./file0\x00', 0x0, 0x0)
fchdir(r0)
getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, 0x0, &(0x7f0000000100))
setsockopt$packet_add_memb(0xffffffffffffffff, 0x107, 0x1, 0x0, 0x0)
ioctl$sock_netdev_private(r0, 0x89f9, &(0x7f00000003c0)="84420ca704018f0165774b3408a0e6c96eb49bfdbb5deafded524691fd470636752856db98064cf079f066bb27e63d9409d8db39897efddd88f46d31cc6f7b8698b2d3f42115e29cacc8ca7e77c324a9549e7359885891e8ce6a7c8684c0e17cb03d9c8eabc2cab1496dc2f057d971ea013e")
rmdir(&(0x7f00000005c0)='./bus\x00')
write$cgroup_type(0xffffffffffffffff, 0x0, 0x0)
write$UHID_DESTROY(r0, &(0x7f0000000280), 0x4)
lsetxattr$security_evm(0x0, &(0x7f0000000240)='security.evm\x00', &(0x7f0000000180)=ANY=[@ANYBLOB="02871eae5b3d38849fd139e04759c83d338c8939c643ee6e8ffc2b3955aadd124ce3bc1da81a746c7957"], 0x1, 0x1)
r1 = open(&(0x7f00000000c0)='./bus\x00', 0x141042, 0x0)
write$binfmt_aout(r1, &(0x7f0000000340)=ANY=[@ANYBLOB="00000000000000000700080000ee8b08b7960ff7aa6e041c7700fdff863809aa0063b8f24252b1d85cbf000000000038f710653f0ffb09f0d536b564df5e0a9efd50fe203534da91b5b9fb501e1ac4bfa3841f9d63e232b9b2500fb1d96033ccfdff066428eb4c319a6d"], 0x6a)
perf_event_open(&(0x7f0000000800)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
unlink(&(0x7f0000000040)='./bus\x00')
sendfile(r1, r1, &(0x7f0000000000), 0x8080fffffffe)
r2 = syz_open_dev$usbmon(0x0, 0x1, 0x121001)
ioctl$GIO_UNISCRNMAP(r1, 0x4b69, &(0x7f0000000440)=""/144)
ioctl$DRM_IOCTL_AGP_ALLOC(r2, 0xc0206434, &(0x7f00000001c0)={0x8, <r3=>0x0, 0x10001})
ioctl$DRM_IOCTL_AGP_UNBIND(r1, 0x40106437, &(0x7f0000000300)={r3, 0x7fffffff})
setsockopt$inet_tcp_TLS_RX(0xffffffffffffffff, 0x6, 0x2, &(0x7f0000000600), 0x4)
prctl$PR_SVE_SET_VL(0x32, 0x12e5e)
prctl$PR_GET_DUMPABLE(0x3)
getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, 0x0, &(0x7f0000000500))
quotactl(0x6, 0x0, 0x0, 0x0)
mkdir(&(0x7f0000000580)='./bus\x00', 0x0)

14:49:06 executing program 2:
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58)
setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10)
r1 = accept$alg(r0, 0x0, 0x0)
write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8)
recvmmsg(r1, &(0x7f0000007e00)=[{{&(0x7f0000001240)=@alg, 0x80, &(0x7f0000004700)=[{&(0x7f00000023c0)=""/49, 0x31}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x2}}], 0x1, 0x0, &(0x7f0000008000)={0x0, 0x989680})

14:49:06 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'})
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x5, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001"], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x14, 0x0, &(0x7f0000000680)=[@acquire_done], 0x0, 0x0, 0x0})

14:49:06 executing program 4:

14:49:06 executing program 0:
r0 = socket$inet(0x2, 0x3, 0x6)
r1 = socket$netlink(0x10, 0x3, 0x4)
connect$inet(r0, &(0x7f0000000100)={0x2, 0x0, @empty}, 0x10)
sendmsg$nl_generic(r1, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0)

[  213.285410][ T8333] binder: 8332:8333 ioctl c018620b 0 returned -14
14:49:07 executing program 4:

14:49:07 executing program 2:

[  213.382293][ T8344] binder_alloc: binder_alloc_mmap_handler: 8332 20001000-20004000 already mapped failed -16
14:49:07 executing program 0:
r0 = socket$inet(0x2, 0x3, 0x6)
r1 = socket$netlink(0x10, 0x3, 0x4)
connect$inet(r0, &(0x7f0000000100)={0x2, 0x0, @empty}, 0x10)
sendmsg$nl_generic(r1, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0)

14:49:07 executing program 3:

[  213.432855][ T8333] binder: 8332:8333 ioctl c018620b 0 returned -14
[  213.436456][ T8347] binder: BINDER_SET_CONTEXT_MGR already set
[  213.482923][ T8351] binder: 8332:8351 Release 1 refcount change on invalid ref 1 ret -22
[  213.490289][ T8347] binder: 8332:8347 ioctl 40046207 0 returned -16
[  213.497818][ T8348] binder_alloc: 8332: binder_alloc_buf, no vma
[  213.517298][ T8348] binder_transaction: 4 callbacks suppressed
[  213.517315][ T8348] binder: 8332:8348 transaction failed 29189/-3, size 24-8 line 3148
14:49:07 executing program 0:
r0 = socket$inet(0x2, 0x3, 0x6)
r1 = socket$netlink(0x10, 0x3, 0x4)
connect$inet(r0, &(0x7f0000000100)={0x2, 0x0, @empty}, 0x10)
sendmsg$nl_generic(r1, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0)

14:49:07 executing program 3:

[  213.567285][ T7921] binder: release 8332:8344 transaction 23 out, still active
14:49:07 executing program 4:

[  213.612343][ T7921] binder: send failed reply for transaction 23, target dead
14:49:07 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'})
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x5, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001"], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x14, 0x0, &(0x7f0000000680)=[@acquire_done], 0x0, 0x0, 0x0})

14:49:07 executing program 2:

14:49:07 executing program 0:
socket$inet(0x2, 0x3, 0x6)
r0 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$nl_generic(r0, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0)

14:49:07 executing program 4:

14:49:07 executing program 3:

14:49:07 executing program 5:

14:49:07 executing program 4:

14:49:07 executing program 2:

14:49:07 executing program 3:

14:49:07 executing program 0:
socket$inet(0x2, 0x3, 0x6)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0)

[  214.087678][ T8380] binder: 8374:8380 ioctl c018620b 0 returned -14
[  214.172418][ T7921] binder: release 8374:8381 transaction 28 out, still active
14:49:07 executing program 1:
r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'})
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x5, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001"], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x14, 0x0, &(0x7f0000000680)=[@acquire_done], 0x0, 0x0, 0x0})

14:49:07 executing program 3:

14:49:07 executing program 4:

14:49:08 executing program 2:

14:49:08 executing program 5:

[  214.250579][ T7921] binder: send failed reply for transaction 28, target dead
14:49:08 executing program 0:
socket$inet(0x2, 0x3, 0x6)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0)

[  214.334745][ T8396] binder: 8395:8396 ioctl c018620b 0 returned -14
14:49:08 executing program 3:

14:49:08 executing program 4:

14:49:08 executing program 5:

14:49:08 executing program 2:

14:49:08 executing program 0:
socket$inet(0x2, 0x3, 0x6)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0)

[  214.463241][ T8407] binder: 8395:8407 BC_ACQUIRE_DONE u0000000000000000 no match
14:49:08 executing program 3:

14:49:08 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200)
pipe(&(0x7f0000000340)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
write$UHID_CREATE2(r2, &(0x7f00000001c0)=ANY=[@ANYBLOB='\v'], 0x1)
r3 = socket$inet_udp(0x2, 0x2, 0x0)
close(r3)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r4=>0xffffffffffffffff})
setsockopt$SO_ATTACH_FILTER(r4, 0x1, 0x1a, &(0x7f0000ab9ff0)={0x2, &(0x7f000039a000)=[{0x20, 0x0, 0x0, 0x7ffffffffffff00c}, {0x6}]}, 0x10)
write$binfmt_misc(r2, &(0x7f0000000140)=ANY=[], 0x4240a2a0)
splice(r1, 0x0, r3, 0x0, 0x10005, 0x0)

14:49:08 executing program 4:

14:49:08 executing program 2:

14:49:08 executing program 5:

14:49:08 executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x4)
sendmsg$nl_generic(r0, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0)

14:49:08 executing program 3:
perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r0 = add_key$keyring(0x0, &(0x7f0000000340)={'syz'}, 0x0, 0x0, 0xfffffffffffffffc)
socket$inet6(0xa, 0x2, 0x0)
ioctl$BLKFLSBUF(0xffffffffffffffff, 0x1261, 0x0)
r1 = creat(&(0x7f0000000000)='./file0\x00', 0x80)
ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_INFO(r1, 0x40bc5311, 0x0)
recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_INFO(r1, 0xc0bc5310, &(0x7f0000000240))
perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_INFO(r1, 0x40bc5311, &(0x7f0000000380)={0xd1ee, 0x3, 'client0\x00', 0x1, "262ebd337fa2abf8", "7e083401503478e2a1a6d417bcb435b240431c170194e89653f8c98412107df0", 0x75, 0x946})
r2 = socket(0x200000000000011, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000000c0)={'sit0\x00', <r3=>0x0})
syz_open_dev$vcsn(0x0, 0x1, 0x0)
lgetxattr(0x0, &(0x7f0000000200)=@known='trusted.overlay.redirect\x00', 0x0, 0x0)
bind$packet(r2, &(0x7f0000000040)={0x11, 0x0, r3, 0x1, 0x0, 0x6, @broadcast}, 0x14)
setsockopt$packet_int(r2, 0x107, 0x14, &(0x7f0000000180)=0x20, 0x4)
setsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, 0x0, 0x0)
ftruncate(0xffffffffffffffff, 0x8)
sendmmsg(r2, &(0x7f0000000d00), 0x400004e, 0x0)
getsockopt$SO_COOKIE(0xffffffffffffffff, 0x1, 0x39, 0x0, 0x0)
setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0)
setsockopt$ARPT_SO_SET_REPLACE(r2, 0x0, 0x60, &(0x7f0000000800)=ANY=[@ANYBLOB="66696c746572000000000000000000000000000000000000000000000000000007000000040000006004000058020000580200001801000078030000780300007803000004000000000000000000000000000000ac14140effffffff00000000aaaaaaaaaabb00000000000000000000000000000000000000000000ffff0000000000000000000000000000000000000000000000000000000000000000000000000000ff00000000000000000000000008000300af0400bfcb0000697036746e6c3000000000fcffffffff617269644f655f736c6176655f31000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0001801000000000000000000000000000000000000000000000000000028004e46515545554500000000000000000000000000000000000000000000030000006003000000ac1414aae00000020000000000000000aaaaaaaaaabb000000000000000000000000000000000000ffff0000000000000000000000000000aaaaaaaaaaaa00000000000000000000000000000000000000ff0000ffff00000000000000000000000000fc0000000000001bca697036677265746170300000000000006970646470300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0004001000000000000000000000000000000000000000000000000000050006d616e676c65000000000000000000000000000000000000000000000000aaaaaaaaaaaa0000000000000000000000000000000000000000000000000000ac1e00017f0000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f000200100000000000000000000000000000000000000000000000000003000434f4e4e4d41524b000000000000000000000000000000000000000000010600000020000000000000000000000000000000660a8185000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000e8000000000000000000000000000000000000000000000000002800000000000000000000000000000000000000000000000000000000000000feffffff00000000"], 0x1)
keyctl$search(0xa, r0, &(0x7f0000000100)='syzkaller\x00', 0x0, r0)
r4 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000140)='~\xea\x00w')
openat$ppp(0xffffffffffffff9c, &(0x7f0000000180)='/dev/ppp\x00', 0x80000, 0x0)
ioctl$LOOP_SET_FD(r4, 0x4c00, 0xffffffffffffffff)
prctl$PR_SET_MM(0x23, 0x2, &(0x7f0000ffe000/0x1000)=nil)

[  215.093974][    T5] binder: release 8395:8396 transaction 32 out, still active
[  215.106460][ T7921] binder: send failed reply for transaction 32, target dead
14:49:08 executing program 2:
symlink(0x0, 0x0)
lstat(0x0, 0x0)
ioctl$PERF_EVENT_IOC_PERIOD(0xffffffffffffffff, 0x40082404, 0x0)
write$P9_RCREATE(0xffffffffffffffff, 0x0, 0x0)
r0 = eventfd(0x0)
lsetxattr$security_smack_entry(0x0, 0x0, 0x0, 0x0, 0x0)
write$P9_RLOCK(r0, &(0x7f0000000840)={0x8}, 0x8)

14:49:08 executing program 4:
openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x0, 0x0)
add_key$keyring(0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe)
r0 = openat$cgroup_procs(0xffffffffffffffff, &(0x7f0000000000), 0x2, 0x0)
request_key(0x0, 0x0, 0x0, 0x0)
write$binfmt_aout(0xffffffffffffffff, 0x0, 0x0)
prctl$PR_SET_MM(0x23, 0x0, &(0x7f0000ffa000/0x4000)=nil)
ioctl$FIBMAP(r0, 0x5421, &(0x7f0000000080))

14:49:08 executing program 5:

14:49:08 executing program 0:
r0 = socket$netlink(0x10, 0x3, 0x0)
sendmsg$nl_generic(r0, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0)

14:49:09 executing program 5:

[  215.320999][ T8449] netlink: 48 bytes leftover after parsing attributes in process `syz-executor.0'.
14:49:09 executing program 2: