[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 38.490613][ T26] audit: type=1800 audit(1554648372.184:25): pid=7727 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 38.511150][ T26] audit: type=1800 audit(1554648372.184:26): pid=7727 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 38.532209][ T26] audit: type=1800 audit(1554648372.184:27): pid=7727 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.76' (ECDSA) to the list of known hosts. 2019/04/07 14:46:37 fuzzer started 2019/04/07 14:46:40 dialing manager at 10.128.0.26:34543 2019/04/07 14:46:41 syscalls: 2408 2019/04/07 14:46:41 code coverage: enabled 2019/04/07 14:46:41 comparison tracing: enabled 2019/04/07 14:46:41 extra coverage: extra coverage is not supported by the kernel 2019/04/07 14:46:41 setuid sandbox: enabled 2019/04/07 14:46:41 namespace sandbox: enabled 2019/04/07 14:46:41 Android sandbox: /sys/fs/selinux/policy does not exist 2019/04/07 14:46:41 fault injection: enabled 2019/04/07 14:46:41 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2019/04/07 14:46:41 net packet injection: enabled 2019/04/07 14:46:41 net device setup: enabled 14:48:53 executing program 0: r0 = inotify_init1(0x0) fcntl$setown(r0, 0x8, 0xffffffffffffffff) fcntl$getownex(r0, 0x10, &(0x7f0000000240)={0x0, 0x0}) ptrace$setopts(0x4206, r1, 0x0, 0x0) syzkaller login: [ 199.825852][ T7892] IPVS: ftp: loaded support on port[0] = 21 14:48:53 executing program 1: capset(&(0x7f0000560ff8)={0x19980330}, &(0x7f00003fd000)) perf_event_open(&(0x7f0000000000)={0x2, 0x70, 0x800000000000012, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semop(0x0, &(0x7f0000000480)=[{}], 0x1) [ 199.931263][ T7892] chnl_net:caif_netlink_parms(): no params data found [ 200.016231][ T7892] bridge0: port 1(bridge_slave_0) entered blocking state [ 200.039040][ T7892] bridge0: port 1(bridge_slave_0) entered disabled state [ 200.047482][ T7892] device bridge_slave_0 entered promiscuous mode [ 200.071593][ T7892] bridge0: port 2(bridge_slave_1) entered blocking state [ 200.089004][ T7892] bridge0: port 2(bridge_slave_1) entered disabled state [ 200.097067][ T7892] device bridge_slave_1 entered promiscuous mode [ 200.126820][ T7895] IPVS: ftp: loaded support on port[0] = 21 [ 200.147074][ T7892] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 200.173841][ T7892] bond0: Enslaving bond_slave_1 as an active interface with an up link 14:48:53 executing program 2: r0 = open(&(0x7f000000fffa)='./bus\x00', 0x141042, 0x0) close(r0) r1 = syz_open_dev$loop(&(0x7f0000ca9ff5)='/dev/loop#\x00', 0x0, 0x105082) r2 = memfd_create(&(0x7f0000000180)='\x00GG\xf8\xf74<\x1ax\xef5\xcc4x\x91p\xac72\xfa\x97\bV\xc2\x16^+\xc5\xf3\x13>\xb99\xeat\xaf\xac3\x95\x1eHJ\x17\x9f\xd2\\G}\xc2\xfe\x1f2\xf7\xae\xe59\xaf\xcc\x99\xc6\xd0\xe8_\x19-\x85/n\xd8\nDs', 0x0) pwritev(r2, &(0x7f0000000080)=[{&(0x7f00000000c0)="a8", 0x1}], 0x1, 0x81003) ioctl$LOOP_CHANGE_FD(r1, 0x4c00, r2) mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x800002, 0x11, r0, 0x0) pipe(&(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r5, 0x8912, 0x400200) write(r4, &(0x7f00000001c0), 0x526987c9) read(r3, &(0x7f0000000200)=""/250, 0x50c7e3e3) [ 200.217812][ T7892] team0: Port device team_slave_0 added [ 200.226247][ T7892] team0: Port device team_slave_1 added [ 200.373218][ T7892] device hsr_slave_0 entered promiscuous mode 14:48:54 executing program 3: socket$inet6(0xa, 0x3, 0x6) fdatasync(0xffffffffffffff9c) socket$inet6(0xa, 0x1000000000002, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sendmsg$IPVS_CMD_DEL_DEST(0xffffffffffffffff, &(0x7f0000000580)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x4}, 0xc, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="9287b748246deeca588edacd5c1cc596a848a41b96d72d9ff1ffcd245d4623bea592fa911a59141ad79770daa350bbd501b4cb95cf19700700000000000000625d08ef137426f4997e282f68591512c4636d34e1d3cc668e8b4f8843a8485590d2eacc2773f295290a92d6f061f3d87a22968a81d80da9a6c39f5c7aa09f49456049763d7bb11d1171be83d26f047ce47c565dbf107ab9605a473e04c7e779a0c244ca4388df158abb"], 0x1}, 0x1, 0x0, 0x0, 0x90}, 0xfffffffffffffffd) r0 = socket$inet6(0xa, 0x6, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20}, 0x1c) r1 = socket$inet_dccp(0x2, 0x6, 0x0) listen(r0, 0x6) setsockopt(r1, 0x10d, 0x800000000d, &(0x7f00001c9fff)="03", 0x1) connect$inet(r1, &(0x7f0000e5c000)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x20}}, 0x10) r2 = accept(r0, 0x0, &(0x7f00000001c0)=0x281) sendmmsg(r1, &(0x7f0000005700)=[{{&(0x7f0000003900)=@pptp, 0x80, &(0x7f0000003b80), 0x3a5, &(0x7f0000003bc0), 0x72}}], 0x3a6, 0x0) setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000100)='erspan0\x00', 0xfc) sendmmsg(r1, &(0x7f000000a080)=[{{&(0x7f0000005440)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x2, {0xa, 0x0, 0x0, @ipv4={[], [], @local}}}}, 0x80, &(0x7f0000005640)=[{&(0x7f00000097c0)="bf", 0x1}], 0x1, 0x0, 0x0, 0x1}}], 0x1, 0x0) [ 200.430350][ T7892] device hsr_slave_1 entered promiscuous mode [ 200.529045][ T7892] bridge0: port 2(bridge_slave_1) entered blocking state [ 200.536330][ T7892] bridge0: port 2(bridge_slave_1) entered forwarding state [ 200.544387][ T7892] bridge0: port 1(bridge_slave_0) entered blocking state [ 200.551539][ T7892] bridge0: port 1(bridge_slave_0) entered forwarding state [ 200.582452][ T7898] IPVS: ftp: loaded support on port[0] = 21 [ 200.602354][ T7895] chnl_net:caif_netlink_parms(): no params data found [ 200.636533][ T7900] IPVS: ftp: loaded support on port[0] = 21 14:48:54 executing program 4: [ 200.702723][ T7895] bridge0: port 1(bridge_slave_0) entered blocking state [ 200.711097][ T7895] bridge0: port 1(bridge_slave_0) entered disabled state [ 200.720388][ T7895] device bridge_slave_0 entered promiscuous mode [ 200.728467][ T7895] bridge0: port 2(bridge_slave_1) entered blocking state [ 200.736819][ T7895] bridge0: port 2(bridge_slave_1) entered disabled state [ 200.746128][ T7895] device bridge_slave_1 entered promiscuous mode [ 200.854761][ T7895] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 200.882313][ T7895] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 200.972109][ T7892] 8021q: adding VLAN 0 to HW filter on device bond0 [ 200.974232][ T7904] IPVS: ftp: loaded support on port[0] = 21 [ 200.990749][ T7892] 8021q: adding VLAN 0 to HW filter on device team0 [ 201.021378][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 201.035551][ T5] bridge0: port 1(bridge_slave_0) entered disabled state [ 201.055589][ T5] bridge0: port 2(bridge_slave_1) entered disabled state [ 201.067457][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 201.085037][ T7895] team0: Port device team_slave_0 added [ 201.100513][ T7895] team0: Port device team_slave_1 added 14:48:54 executing program 5: r0 = socket$inet6(0xa, 0x2, 0x0) socket$packet(0x11, 0x2, 0x300) connect$inet6(r0, &(0x7f0000000100)={0xa, 0x0, 0x0, @dev, 0x8}, 0x1c) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x4e22, 0x0, @ipv4={[], [], @multicast1}}, 0x1c) sendmmsg(r0, &(0x7f00000002c0), 0x400000000000174, 0x0) [ 201.125184][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 201.134488][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 201.146609][ T5] bridge0: port 1(bridge_slave_0) entered blocking state [ 201.153780][ T5] bridge0: port 1(bridge_slave_0) entered forwarding state [ 201.166488][ T7898] chnl_net:caif_netlink_parms(): no params data found [ 201.251942][ T7895] device hsr_slave_0 entered promiscuous mode [ 201.279222][ T7895] device hsr_slave_1 entered promiscuous mode [ 201.382626][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 201.392359][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 201.401335][ T5] bridge0: port 2(bridge_slave_1) entered blocking state [ 201.408477][ T5] bridge0: port 2(bridge_slave_1) entered forwarding state [ 201.464832][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 201.475939][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 201.496861][ T7908] IPVS: ftp: loaded support on port[0] = 21 [ 201.506077][ T7900] chnl_net:caif_netlink_parms(): no params data found [ 201.533698][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 201.543067][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 201.552778][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 201.561531][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 201.570123][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 201.578438][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 201.587112][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 201.595667][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 201.606378][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 201.618445][ T7898] bridge0: port 1(bridge_slave_0) entered blocking state [ 201.627189][ T7898] bridge0: port 1(bridge_slave_0) entered disabled state [ 201.635137][ T7898] device bridge_slave_0 entered promiscuous mode [ 201.643157][ T7898] bridge0: port 2(bridge_slave_1) entered blocking state [ 201.650313][ T7898] bridge0: port 2(bridge_slave_1) entered disabled state [ 201.658748][ T7898] device bridge_slave_1 entered promiscuous mode [ 201.688152][ T7892] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 201.750685][ T7898] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 201.763092][ T7898] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 201.774722][ T7900] bridge0: port 1(bridge_slave_0) entered blocking state [ 201.782260][ T7900] bridge0: port 1(bridge_slave_0) entered disabled state [ 201.790134][ T7900] device bridge_slave_0 entered promiscuous mode [ 201.818137][ T7898] team0: Port device team_slave_0 added [ 201.827630][ T7898] team0: Port device team_slave_1 added [ 201.836219][ T7900] bridge0: port 2(bridge_slave_1) entered blocking state [ 201.844923][ T7900] bridge0: port 2(bridge_slave_1) entered disabled state [ 201.863141][ T7900] device bridge_slave_1 entered promiscuous mode [ 201.887753][ T7900] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 201.897930][ T7900] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 201.961566][ T7900] team0: Port device team_slave_0 added [ 202.030767][ T7898] device hsr_slave_0 entered promiscuous mode [ 202.079282][ T7898] device hsr_slave_1 entered promiscuous mode [ 202.126204][ T7900] team0: Port device team_slave_1 added [ 202.147296][ T7892] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 202.176358][ T7904] chnl_net:caif_netlink_parms(): no params data found [ 202.262253][ T7900] device hsr_slave_0 entered promiscuous mode [ 202.311667][ T7900] device hsr_slave_1 entered promiscuous mode [ 202.380816][ T7895] 8021q: adding VLAN 0 to HW filter on device bond0 [ 202.407396][ T7908] chnl_net:caif_netlink_parms(): no params data found 14:48:56 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 202.435340][ T7904] bridge0: port 1(bridge_slave_0) entered blocking state [ 202.442894][ T7904] bridge0: port 1(bridge_slave_0) entered disabled state [ 202.451269][ T7904] device bridge_slave_0 entered promiscuous mode [ 202.498370][ T7904] bridge0: port 2(bridge_slave_1) entered blocking state [ 202.506911][ T7904] bridge0: port 2(bridge_slave_1) entered disabled state [ 202.515323][ T7904] device bridge_slave_1 entered promiscuous mode [ 202.526178][ T7895] 8021q: adding VLAN 0 to HW filter on device team0 [ 202.552128][ T7918] binder: 7917:7918 ioctl c018620b 0 returned -14 [ 202.566853][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 202.575253][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 202.595310][ T7904] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 202.606987][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 202.616074][ T7919] binder: 7917:7919 transaction failed 29189/-22, size 24-8 line 2995 [ 202.624691][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 202.626999][ T7919] binder: 7917:7919 BC_INCREFS_DONE u0000000000000000 no match [ 202.633181][ T5] bridge0: port 1(bridge_slave_0) entered blocking state [ 202.647975][ T5] bridge0: port 1(bridge_slave_0) entered forwarding state [ 202.656250][ T2888] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 202.665312][ T7908] bridge0: port 1(bridge_slave_0) entered blocking state [ 202.672838][ T7908] bridge0: port 1(bridge_slave_0) entered disabled state [ 202.680698][ T7908] device bridge_slave_0 entered promiscuous mode [ 202.692851][ T7904] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 202.717762][ T7908] bridge0: port 2(bridge_slave_1) entered blocking state [ 202.726915][ T7908] bridge0: port 2(bridge_slave_1) entered disabled state [ 202.734912][ T7908] device bridge_slave_1 entered promiscuous mode [ 202.752631][ T7904] team0: Port device team_slave_0 added [ 202.763420][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 202.772084][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 202.780921][ T7905] bridge0: port 2(bridge_slave_1) entered blocking state [ 202.789044][ T7905] bridge0: port 2(bridge_slave_1) entered forwarding state [ 202.796605][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 202.805328][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 202.838227][ T7904] team0: Port device team_slave_1 added [ 202.853323][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 202.863979][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 202.873342][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 202.882105][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 202.890503][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 202.925085][ T7908] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 202.935774][ T7908] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 202.957040][ T7898] 8021q: adding VLAN 0 to HW filter on device bond0 [ 203.002065][ T7904] device hsr_slave_0 entered promiscuous mode [ 203.049247][ T7904] device hsr_slave_1 entered promiscuous mode [ 203.106324][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 203.114678][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 203.124115][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 203.132743][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 203.143159][ T7895] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 203.168293][ T7908] team0: Port device team_slave_0 added [ 203.177690][ T7908] team0: Port device team_slave_1 added [ 203.190447][ T7900] 8021q: adding VLAN 0 to HW filter on device bond0 [ 203.213430][ T7895] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 203.227970][ T7898] 8021q: adding VLAN 0 to HW filter on device team0 [ 203.242821][ T7901] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 203.251441][ T7901] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 203.281173][ T7901] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 203.290264][ T7901] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 203.298984][ T7901] bridge0: port 1(bridge_slave_0) entered blocking state [ 203.306107][ T7901] bridge0: port 1(bridge_slave_0) entered forwarding state [ 203.314423][ T7901] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready 14:48:57 executing program 0: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = creat(&(0x7f0000000700)='./bus\x00', 0x0) r2 = open(&(0x7f0000000000)='./bus\x00', 0x0, 0x0) r3 = creat(&(0x7f0000000240)='./bus\x00', 0x0) ftruncate(r3, 0x8200) r4 = open(&(0x7f0000001840)='./bus\x00', 0x0, 0x0) sendfile(r1, r4, 0x0, 0x20000000ffe) sendfile(r1, r2, 0x0, 0x8000fffffffe) [ 203.323877][ T7901] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 203.332344][ T7901] bridge0: port 2(bridge_slave_1) entered blocking state [ 203.339448][ T7901] bridge0: port 2(bridge_slave_1) entered forwarding state [ 203.346177][ T7919] binder: 7917:7919 ioctl c018620b 0 returned -14 [ 203.351168][ T7900] 8021q: adding VLAN 0 to HW filter on device team0 [ 203.362604][ T7920] binder: 7917:7920 transaction failed 29189/-22, size 24-8 line 2995 [ 203.365581][ T7922] binder: 7917:7922 BC_INCREFS_DONE u0000000000000000 no match [ 203.411448][ T7908] device hsr_slave_0 entered promiscuous mode [ 203.457334][ T26] kauditd_printk_skb: 3 callbacks suppressed [ 203.457350][ T26] audit: type=1804 audit(1554648537.144:31): pid=7926 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1 [ 203.471182][ T7908] device hsr_slave_1 entered promiscuous mode [ 203.495074][ T26] audit: type=1804 audit(1554648537.144:32): pid=7926 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1 [ 203.495102][ T26] audit: type=1804 audit(1554648537.154:33): pid=7926 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1 [ 203.609178][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 203.628662][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 203.638080][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 203.653739][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 203.676216][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 203.687799][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 203.705285][ T22] bridge0: port 1(bridge_slave_0) entered blocking state [ 203.712501][ T22] bridge0: port 1(bridge_slave_0) entered forwarding state [ 203.727255][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 203.803147][ T7929] capability: warning: `syz-executor.1' uses 32-bit capabilities (legacy support in use) [ 203.822891][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 203.832735][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 203.842722][ T22] bridge0: port 2(bridge_slave_1) entered blocking state [ 203.850290][ T22] bridge0: port 2(bridge_slave_1) entered forwarding state [ 203.858738][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 203.868799][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 203.881834][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 203.890895][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 203.899824][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 203.909633][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready 14:48:57 executing program 1: r0 = socket$inet(0xa, 0x801, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) getsockopt$sock_buf(r0, 0x1, 0x10, 0x0, &(0x7f0000000040)) [ 203.945886][ T7904] 8021q: adding VLAN 0 to HW filter on device bond0 [ 203.971376][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 203.987637][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 204.007394][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 204.025594][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready 14:48:57 executing program 1: r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000940)='/dev/uhid\x00', 0x802, 0x0) r1 = open(&(0x7f00000001c0)='./bus\x00', 0x141042, 0x0) write$UHID_CREATE2(r1, &(0x7f0000000080)={0xb, 'syz1\x00', 'syz1\x00', 'syz1\x00', 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, '?'}, 0x119) write$P9_RREADLINK(r1, &(0x7f0000000300)=ANY=[], 0xffffff93) sendfile(r0, r1, &(0x7f0000d83ff8), 0x8000fffffffe) [ 204.053216][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 204.062926][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 204.071928][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 204.081069][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 204.096332][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 204.114571][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 204.148865][ T7900] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 204.168400][ T7900] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 204.193440][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 204.202712][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 204.224742][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 204.232770][ T26] audit: type=1804 audit(1554648537.914:34): pid=7939 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1 [ 204.253178][ T7937] UHID_CREATE from different security context by process 8 (syz-executor.1), this is not allowed. [ 204.279435][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 204.301339][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 204.334996][ T5] hid-generic 0000:0000:0000.0001: item fetching failed at offset -1478943807 [ 204.357790][ T7898] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 204.369439][ T5] hid-generic: probe of 0000:0000:0000.0001 failed with error -22 [ 204.381861][ T7904] 8021q: adding VLAN 0 to HW filter on device team0 [ 204.395994][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 204.406003][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 204.423054][ T7900] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 204.457126][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 204.473750][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 204.487474][ T17] bridge0: port 1(bridge_slave_0) entered blocking state [ 204.494633][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state [ 204.510629][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 204.523971][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 204.535035][ T17] bridge0: port 2(bridge_slave_1) entered blocking state [ 204.542299][ T17] bridge0: port 2(bridge_slave_1) entered forwarding state [ 204.569308][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 204.586655][ T7898] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 204.595292][ T26] audit: type=1804 audit(1554648538.284:35): pid=7926 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1 [ 204.636455][ T7908] 8021q: adding VLAN 0 to HW filter on device bond0 [ 204.665044][ C1] hrtimer: interrupt took 25880 ns 14:48:58 executing program 0: r0 = socket$inet_udp(0x2, 0x2, 0x0) setsockopt$ARPT_SO_SET_REPLACE(r0, 0x0, 0x60, &(0x7f00000004c0)=ANY=[@ANYBLOB="000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0001801000000000000000000000000000000000000000000000000000028004e46515545554500000000000000000000000000000000000000000000000000000000000000e0000002e0000002ffffffff000000003a3988bdc7fd000000000000000000000000000000000000ffffff000000000000000000000000000d073d89577c000000000000000000000000000000000000ffffff00ffff00000000000000000000000004000081fffb0003035169703667726574617030000000000000687773696d300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000000000000000000f0001801000000000000000011000000000000000000000000000000000028004e46515545554500000000000000000000000000000000000000000000020104fdff03000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0001802000000000000000000000000000000000000000000000000000028015345434d41524b0000000000000000000000000000000000000000000000010000000a4700797374656d5f753a6f626a6563745f723a676574747901262d74635f743a7330000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000e8000000000000000000000000000000000000000000000000002800000000000000000000000000000000000000000000000000000000000000feffffff00000000"], 0x1) r1 = socket$inet6(0xa, 0x80003, 0x5) connect$inet6(r1, &(0x7f0000000480)={0xa, 0x0, 0x0, @dev, 0x3}, 0x1c) syz_open_dev$dmmidi(&(0x7f0000000040)='/dev/dmmidi#\x00', 0x101, 0x10800) r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ptmx\x00', 0x40, 0x0) ioctl$TIOCPKT(r2, 0x5420, &(0x7f0000000000)=0xa35) mkdirat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0) clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) mount$9p_unix(&(0x7f0000000100)='./file0\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000240)='9p\x00', 0x200000, &(0x7f0000000b80)=ANY=[@ANYBLOB="2c646d61636b66736861743d776c616e31776c616e31747275737465647365ec696e7578273a252c00"]) [ 204.741998][ T26] audit: type=1804 audit(1554648538.344:36): pid=7941 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1 [ 204.773144][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 204.781829][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 204.826160][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 204.841132][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 204.849600][ T26] audit: type=1804 audit(1554648538.364:37): pid=7944 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir133207300/syzkaller.wLE1YV/2/bus" dev="sda1" ino=16517 res=1 [ 204.875277][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 204.884713][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 204.902389][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 204.911656][ T7950] 9pnet_virtio: no channels available for device ./file0 [ 204.931904][ T7904] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 204.972897][ T7904] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 204.976680][ T7959] 9pnet_virtio: no channels available for device ./file0 14:48:58 executing program 3: socket$inet6(0xa, 0x3, 0x6) fdatasync(0xffffffffffffff9c) socket$inet6(0xa, 0x1000000000002, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sendmsg$IPVS_CMD_DEL_DEST(0xffffffffffffffff, &(0x7f0000000580)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x4}, 0xc, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="9287b748246deeca588edacd5c1cc596a848a41b96d72d9ff1ffcd245d4623bea592fa911a59141ad79770daa350bbd501b4cb95cf19700700000000000000625d08ef137426f4997e282f68591512c4636d34e1d3cc668e8b4f8843a8485590d2eacc2773f295290a92d6f061f3d87a22968a81d80da9a6c39f5c7aa09f49456049763d7bb11d1171be83d26f047ce47c565dbf107ab9605a473e04c7e779a0c244ca4388df158abb"], 0x1}, 0x1, 0x0, 0x0, 0x90}, 0xfffffffffffffffd) r0 = socket$inet6(0xa, 0x6, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20}, 0x1c) r1 = socket$inet_dccp(0x2, 0x6, 0x0) listen(r0, 0x6) setsockopt(r1, 0x10d, 0x800000000d, &(0x7f00001c9fff)="03", 0x1) connect$inet(r1, &(0x7f0000e5c000)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x20}}, 0x10) r2 = accept(r0, 0x0, &(0x7f00000001c0)=0x281) sendmmsg(r1, &(0x7f0000005700)=[{{&(0x7f0000003900)=@pptp, 0x80, &(0x7f0000003b80), 0x3a5, &(0x7f0000003bc0), 0x72}}], 0x3a6, 0x0) setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000100)='erspan0\x00', 0xfc) sendmmsg(r1, &(0x7f000000a080)=[{{&(0x7f0000005440)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x2, {0xa, 0x0, 0x0, @ipv4={[], [], @local}}}}, 0x80, &(0x7f0000005640)=[{&(0x7f00000097c0)="bf", 0x1}], 0x1, 0x0, 0x0, 0x1}}], 0x1, 0x0) 14:48:58 executing program 0: r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000040)={0x0, 0xfffffffffffff000, &(0x7f0000000000)={&(0x7f0000000140)={0x14, 0x1c, 0xffffff1f, 0x0, 0x0, {0x1, 0x6000, 0x6000}}, 0x14}}, 0x0) recvmmsg(r0, &(0x7f0000004040)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0, 0x0) [ 205.026133][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 205.071075][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 205.092554][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready 14:48:58 executing program 0: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0xee6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$key(0xf, 0x3, 0x2) sendmsg$key(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)={0x2, 0x3, 0x0, 0x3, 0x9, 0x0, 0x0, 0x0, [@sadb_key={0x2, 0x9, 0x8, 0x0, "e5"}, @sadb_sa={0x2, 0x1, 0x0, 0x0, 0x0, 0x0, 0x2}, @sadb_address={0x3, 0x5, 0x0, 0x0, 0x0, @in={0x2, 0x0, @multicast1}}]}, 0x48}}, 0x0) [ 205.125415][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 205.150301][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 205.231234][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 205.250556][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 205.282712][ T7908] 8021q: adding VLAN 0 to HW filter on device team0 [ 205.318181][ T7904] 8021q: adding VLAN 0 to HW filter on device batadv0 14:48:59 executing program 2: ioctl$SG_GET_PACK_ID(0xffffffffffffffff, 0x227c, &(0x7f0000000180)) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10) r1 = accept$alg(r0, 0x0, 0x0) sendmsg$alg(r1, &(0x7f0000001380)={0x0, 0x0, 0x0, 0x0, &(0x7f00000000c0)=[@op={0x18, 0x117, 0x3, 0x1}, @assoc={0x18, 0x117, 0x4, 0x2f5}], 0x30}, 0x0) write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8) recvmmsg(r1, &(0x7f0000007e00)=[{{&(0x7f0000001240)=@alg, 0x80, &(0x7f0000004700)=[{&(0x7f00000012c0)=""/167, 0xf}, {&(0x7f00000023c0)=""/49, 0x200023f1}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x3, &(0x7f0000004780)=""/245, 0xf5}}], 0x30, 0x0, &(0x7f0000008000)={0x0, 0x989680}) ioctl$KVM_PPC_GET_PVINFO(0xffffffffffffffff, 0x4080aea1, &(0x7f0000000100)=""/4) 14:48:59 executing program 1: r0 = open(&(0x7f0000000040)='./file0\x00', 0x2000000000008040, 0x0) fcntl$setsig(r0, 0xa, 0x11) fcntl$setlease(r0, 0x400, 0x0) truncate(&(0x7f00000000c0)='./file0\x00', 0x0) r1 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x989680}}, 0x0) tkill(r1, 0x1004000000016) fcntl$setlease(r0, 0x400, 0x2) [ 205.385032][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 205.394394][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 205.418084][ T7905] bridge0: port 1(bridge_slave_0) entered blocking state [ 205.425285][ T7905] bridge0: port 1(bridge_slave_0) entered forwarding state [ 205.453440][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 205.495218][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 205.515178][ T7905] bridge0: port 2(bridge_slave_1) entered blocking state [ 205.522386][ T7905] bridge0: port 2(bridge_slave_1) entered forwarding state [ 205.536391][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 205.545739][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 205.562085][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 205.577128][ T7905] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 205.588856][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 205.605820][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 205.627762][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready 14:48:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x14, 0x0, &(0x7f0000000280)=[@increfs_done], 0x0, 0x0, 0x0}) [ 205.646369][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 205.664052][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 205.691938][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 205.702394][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 205.711607][ T7921] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 205.723470][ T7908] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 205.746174][ T7998] binder: 7997:7998 transaction failed 29189/-22, size 24-8 line 2995 [ 205.757622][ T7998] binder: 7997:7998 transaction failed 29189/-22, size 24-8 line 2995 [ 205.767332][ T7999] binder: 7997:7999 BC_INCREFS_DONE u0000000000000000 no match [ 205.777100][ T2888] binder: undelivered TRANSACTION_ERROR: 29189 [ 205.789239][ T2888] binder: undelivered TRANSACTION_ERROR: 29189 [ 205.806613][ T7908] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 205.881824][ T8003] BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor.5/8003 [ 205.891436][ T8003] caller is sk_mc_loop+0x1d/0x210 [ 205.896566][ T8003] CPU: 0 PID: 8003 Comm: syz-executor.5 Not tainted 5.1.0-rc3-next-20190405 #19 [ 205.905577][ T8003] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 205.916698][ T8003] Call Trace: [ 205.920013][ T8003] dump_stack+0x172/0x1f0 [ 205.924362][ T8003] __this_cpu_preempt_check+0x246/0x270 [ 205.929939][ T8003] sk_mc_loop+0x1d/0x210 [ 205.934192][ T8003] ip_mc_output+0x2ef/0xf70 [ 205.938713][ T8003] ? __ip_queue_xmit+0x1bf0/0x1bf0 [ 205.943858][ T8003] ? ip_append_data.part.0+0x170/0x170 [ 205.949326][ T8003] ? ip_make_skb+0x1b1/0x2c0 [ 205.953926][ T8003] ? ip_reply_glue_bits+0xc0/0xc0 [ 205.958964][ T8003] ip_local_out+0xc4/0x1b0 [ 205.963410][ T8003] ip_send_skb+0x42/0xf0 [ 205.967665][ T8003] udp_send_skb.isra.0+0x6b2/0x1180 [ 205.972877][ T8003] ? xfrm_lookup_route+0x5b/0x1f0 [ 205.977934][ T8003] udp_sendmsg+0x1dfd/0x2820 [ 205.982555][ T8003] ? ip_reply_glue_bits+0xc0/0xc0 [ 205.987599][ T8003] ? udp4_lib_lookup_skb+0x440/0x440 [ 205.992906][ T8003] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 205.998819][ T8003] ? find_next_and_bit+0x19a/0x200 [ 206.003956][ T8003] ? __lock_acquire+0x548/0x3fb0 [ 206.009435][ T8003] udpv6_sendmsg+0x13a4/0x28d0 [ 206.014212][ T8003] ? udpv6_sendmsg+0x13a4/0x28d0 [ 206.019173][ T8003] ? udp6_unicast_rcv_skb.isra.0+0x2f0/0x2f0 [ 206.025184][ T8003] ? aa_profile_af_perm+0x320/0x320 [ 206.030401][ T8003] ? __might_fault+0x12b/0x1e0 [ 206.035182][ T8003] ? find_held_lock+0x35/0x130 [ 206.039960][ T8003] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 206.046799][ T8003] ? rw_copy_check_uvector+0x2a6/0x330 [ 206.052284][ T8003] ? ___might_sleep+0x163/0x280 [ 206.057154][ T8003] ? __might_sleep+0x95/0x190 [ 206.061847][ T8003] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 206.067929][ T8003] ? aa_sk_perm+0x288/0x880 [ 206.072456][ T8003] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 206.078022][ T8003] inet_sendmsg+0x147/0x5e0 [ 206.082554][ T8003] ? udp6_unicast_rcv_skb.isra.0+0x2f0/0x2f0 [ 206.088556][ T8003] ? inet_sendmsg+0x147/0x5e0 [ 206.093253][ T8003] ? ipip_gro_receive+0x100/0x100 [ 206.098292][ T8003] sock_sendmsg+0xdd/0x130 [ 206.102735][ T8003] ___sys_sendmsg+0x3e2/0x930 [ 206.107448][ T8003] ? copy_msghdr_from_user+0x430/0x430 [ 206.112917][ T8003] ? lock_downgrade+0x880/0x880 [ 206.117775][ T8003] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 206.124028][ T8003] ? kasan_check_read+0x11/0x20 [ 206.128890][ T8003] ? __fget+0x381/0x550 [ 206.133063][ T8003] ? ksys_dup3+0x3e0/0x3e0 [ 206.137795][ T8003] ? __fget_light+0x1a9/0x230 [ 206.142483][ T8003] ? __fdget+0x1b/0x20 [ 206.146573][ T8003] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 206.152832][ T8003] ? sockfd_lookup_light+0xcb/0x180 [ 206.158041][ T8003] __sys_sendmmsg+0x1bf/0x4d0 [ 206.162739][ T8003] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 206.167801][ T8003] ? _copy_to_user+0xc9/0x120 [ 206.172497][ T8003] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 206.178772][ T8003] ? put_timespec64+0xda/0x140 [ 206.183558][ T8003] ? nsecs_to_jiffies+0x30/0x30 [ 206.188432][ T8003] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 206.193905][ T8003] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 206.199376][ T8003] ? do_syscall_64+0x26/0x610 [ 206.204061][ T8003] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 206.210137][ T8003] ? do_syscall_64+0x26/0x610 [ 206.214829][ T8003] __x64_sys_sendmmsg+0x9d/0x100 [ 206.219781][ T8003] do_syscall_64+0x103/0x610 [ 206.224415][ T8003] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 206.230306][ T8003] RIP: 0033:0x4582b9 [ 206.234205][ T8003] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 206.253812][ T8003] RSP: 002b:00007f1ae77ecc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 206.262310][ T8003] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582b9 [ 206.270278][ T8003] RDX: 0400000000000174 RSI: 00000000200002c0 RDI: 0000000000000003 [ 206.278252][ T8003] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 206.286236][ T8003] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ae77ed6d4 [ 206.294212][ T8003] R13: 00000000004c5230 R14: 00000000004d9380 R15: 00000000ffffffff [ 206.304140][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 206.309192][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 206.310111][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 206.315849][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 206.330426][ T8003] BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor.5/8003 [ 206.339898][ T8003] caller is sk_mc_loop+0x1d/0x210 [ 206.344941][ T8003] CPU: 0 PID: 8003 Comm: syz-executor.5 Not tainted 5.1.0-rc3-next-20190405 #19 [ 206.353959][ T8003] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 206.364011][ T8003] Call Trace: [ 206.367309][ T8003] dump_stack+0x172/0x1f0 [ 206.371657][ T8003] __this_cpu_preempt_check+0x246/0x270 [ 206.377218][ T8003] sk_mc_loop+0x1d/0x210 [ 206.381473][ T8003] ip_mc_output+0x2ef/0xf70 [ 206.385993][ T8003] ? __ip_queue_xmit+0x1bf0/0x1bf0 [ 206.391120][ T8003] ? ip_append_data.part.0+0x170/0x170 [ 206.396606][ T8003] ? ip_make_skb+0x1b1/0x2c0 [ 206.401196][ T8003] ? ip_reply_glue_bits+0xc0/0xc0 [ 206.406209][ T8003] ip_local_out+0xc4/0x1b0 [ 206.410612][ T8003] ip_send_skb+0x42/0xf0 [ 206.414869][ T8003] udp_send_skb.isra.0+0x6b2/0x1180 [ 206.420060][ T8003] ? xfrm_lookup_route+0x5b/0x1f0 [ 206.425076][ T8003] udp_sendmsg+0x1dfd/0x2820 [ 206.429682][ T8003] ? ip_reply_glue_bits+0xc0/0xc0 [ 206.434697][ T8003] ? udp4_lib_lookup_skb+0x440/0x440 [ 206.439973][ T8003] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 206.445680][ T8003] ? find_next_and_bit+0x19a/0x200 [ 206.450784][ T8003] ? __lock_acquire+0x548/0x3fb0 [ 206.455717][ T8003] udpv6_sendmsg+0x13a4/0x28d0 [ 206.460469][ T8003] ? udpv6_sendmsg+0x13a4/0x28d0 [ 206.465399][ T8003] ? udp6_unicast_rcv_skb.isra.0+0x2f0/0x2f0 [ 206.471371][ T8003] ? aa_profile_af_perm+0x320/0x320 [ 206.476563][ T8003] ? __might_fault+0x12b/0x1e0 [ 206.481331][ T8003] ? find_held_lock+0x35/0x130 [ 206.486081][ T8003] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 206.492487][ T8003] ? rw_copy_check_uvector+0x2a6/0x330 [ 206.497960][ T8003] ? ___might_sleep+0x163/0x280 [ 206.502825][ T8003] ? __might_sleep+0x95/0x190 [ 206.507492][ T8003] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 206.513153][ T8003] ? aa_sk_perm+0x288/0x880 [ 206.517647][ T8003] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 206.523267][ T8003] inet_sendmsg+0x147/0x5e0 [ 206.527757][ T8003] ? udp6_unicast_rcv_skb.isra.0+0x2f0/0x2f0 [ 206.533717][ T8003] ? inet_sendmsg+0x147/0x5e0 [ 206.538381][ T8003] ? ipip_gro_receive+0x100/0x100 [ 206.543391][ T8003] sock_sendmsg+0xdd/0x130 [ 206.547797][ T8003] ___sys_sendmsg+0x3e2/0x930 [ 206.552461][ T8003] ? copy_msghdr_from_user+0x430/0x430 [ 206.557935][ T8003] ? __lock_acquire+0x548/0x3fb0 [ 206.562858][ T8003] ? lock_downgrade+0x880/0x880 [ 206.567693][ T8003] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 206.573944][ T8003] ? kasan_check_read+0x11/0x20 [ 206.578784][ T8003] ? __might_fault+0x12b/0x1e0 [ 206.583547][ T8003] ? find_held_lock+0x35/0x130 [ 206.588320][ T8003] ? __might_fault+0x12b/0x1e0 [ 206.593070][ T8003] ? lock_downgrade+0x880/0x880 [ 206.597933][ T8003] ? ___might_sleep+0x163/0x280 [ 206.602805][ T8003] __sys_sendmmsg+0x1bf/0x4d0 [ 206.607472][ T8003] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 206.612484][ T8003] ? _copy_to_user+0xc9/0x120 [ 206.617147][ T8003] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 206.623370][ T8003] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 206.629620][ T8003] ? put_timespec64+0xda/0x140 [ 206.634376][ T8003] ? nsecs_to_jiffies+0x30/0x30 [ 206.639219][ T8003] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 206.644665][ T8003] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 206.650121][ T8003] ? do_syscall_64+0x26/0x610 [ 206.654785][ T8003] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 206.660834][ T8003] ? do_syscall_64+0x26/0x610 [ 206.665496][ T8003] __x64_sys_sendmmsg+0x9d/0x100 [ 206.670428][ T8003] do_syscall_64+0x103/0x610 [ 206.680717][ T8003] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 206.686796][ T8003] RIP: 0033:0x4582b9 [ 206.690762][ T8003] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 206.710666][ T8003] RSP: 002b:00007f1ae77ecc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 206.719087][ T8003] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582b9 [ 206.727068][ T8003] RDX: 0400000000000174 RSI: 00000000200002c0 RDI: 0000000000000003 [ 206.735051][ T8003] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 206.743030][ T8003] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ae77ed6d4 [ 206.751011][ T8003] R13: 00000000004c5230 R14: 00000000004d9380 R15: 00000000ffffffff [ 206.764442][ T8005] BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor.5/8005 [ 206.776039][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 206.776105][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 206.779278][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 206.779325][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 206.803482][ T8005] caller is sk_mc_loop+0x1d/0x210 [ 206.808711][ T8005] CPU: 1 PID: 8005 Comm: syz-executor.5 Not tainted 5.1.0-rc3-next-20190405 #19 [ 206.817746][ T8005] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 206.828763][ T8005] Call Trace: [ 206.832254][ T8005] dump_stack+0x172/0x1f0 [ 206.836711][ T8005] __this_cpu_preempt_check+0x246/0x270 [ 206.843179][ T8005] sk_mc_loop+0x1d/0x210 [ 206.849014][ T8005] ip_mc_output+0x2ef/0xf70 [ 206.854529][ T8005] ? __ip_queue_xmit+0x1bf0/0x1bf0 [ 206.864519][ T8005] ? ip_append_data.part.0+0x170/0x170 [ 206.879588][ T8005] ? ip_make_skb+0x1b1/0x2c0 [ 206.884855][ T8005] ? ip_reply_glue_bits+0xc0/0xc0 [ 206.889996][ T8005] ip_local_out+0xc4/0x1b0 [ 206.894445][ T8005] ip_send_skb+0x42/0xf0 [ 206.898704][ T8005] udp_send_skb.isra.0+0x6b2/0x1180 [ 206.903893][ T8005] ? xfrm_lookup_route+0x5b/0x1f0 [ 206.908932][ T8005] udp_sendmsg+0x1dfd/0x2820 [ 206.913534][ T8005] ? find_held_lock+0x35/0x130 [ 206.918303][ T8005] ? ip_reply_glue_bits+0xc0/0xc0 [ 206.923326][ T8005] ? udp4_lib_lookup_skb+0x440/0x440 [ 206.928632][ T8005] ? kasan_check_read+0x11/0x20 [ 206.933583][ T8005] ? is_bpf_text_address+0xd3/0x170 [ 206.938835][ T8005] udpv6_sendmsg+0x13a4/0x28d0 [ 206.943603][ T8005] ? udpv6_sendmsg+0x13a4/0x28d0 [ 206.948810][ T8005] ? udp6_unicast_rcv_skb.isra.0+0x2f0/0x2f0 [ 206.954842][ T8005] ? aa_profile_af_perm+0x320/0x320 [ 206.960161][ T8005] ? __might_fault+0x12b/0x1e0 [ 206.964926][ T8005] ? find_held_lock+0x35/0x130 [ 206.969697][ T8005] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 206.975938][ T8005] ? rw_copy_check_uvector+0x2a6/0x330 [ 206.981408][ T8005] ? ___might_sleep+0x163/0x280 [ 206.986424][ T8005] ? __might_sleep+0x95/0x190 [ 206.991107][ T8005] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 206.996739][ T8005] ? aa_sk_perm+0x288/0x880 [ 207.001235][ T8005] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 207.006766][ T8005] inet_sendmsg+0x147/0x5e0 [ 207.011318][ T8005] ? udp6_unicast_rcv_skb.isra.0+0x2f0/0x2f0 [ 207.017297][ T8005] ? inet_sendmsg+0x147/0x5e0 [ 207.021981][ T8005] ? ipip_gro_receive+0x100/0x100 [ 207.027112][ T8005] sock_sendmsg+0xdd/0x130 [ 207.031633][ T8005] ___sys_sendmsg+0x3e2/0x930 [ 207.036330][ T8005] ? copy_msghdr_from_user+0x430/0x430 [ 207.041787][ T8005] ? lock_downgrade+0x880/0x880 [ 207.046633][ T8005] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 207.052886][ T8005] ? kasan_check_read+0x11/0x20 [ 207.057746][ T8005] ? __fget+0x381/0x550 [ 207.061895][ T8005] ? ksys_dup3+0x3e0/0x3e0 [ 207.067419][ T8005] ? __fget_light+0x1a9/0x230 [ 207.072104][ T8005] ? __fdget+0x1b/0x20 [ 207.076172][ T8005] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 207.082435][ T8005] ? sockfd_lookup_light+0xcb/0x180 [ 207.087627][ T8005] __sys_sendmmsg+0x1bf/0x4d0 [ 207.092308][ T8005] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 207.097336][ T8005] ? _copy_to_user+0xc9/0x120 [ 207.102001][ T8005] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 207.108243][ T8005] ? put_timespec64+0xda/0x140 [ 207.113030][ T8005] ? nsecs_to_jiffies+0x30/0x30 [ 207.117887][ T8005] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 207.123332][ T8005] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 207.128778][ T8005] ? do_syscall_64+0x26/0x610 [ 207.133481][ T8005] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 207.139561][ T8005] ? do_syscall_64+0x26/0x610 [ 207.144251][ T8005] __x64_sys_sendmmsg+0x9d/0x100 [ 207.149193][ T8005] do_syscall_64+0x103/0x610 [ 207.153800][ T8005] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 207.159706][ T8005] RIP: 0033:0x4582b9 [ 207.163627][ T8005] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 207.184105][ T8005] RSP: 002b:00007f1ae77cbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 207.192613][ T8005] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004582b9 [ 207.200591][ T8005] RDX: 0400000000000174 RSI: 00000000200002c0 RDI: 0000000000000005 [ 207.208590][ T8005] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 207.216564][ T8005] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ae77cc6d4 [ 207.224527][ T8005] R13: 00000000004c5230 R14: 00000000004d9380 R15: 00000000ffffffff [ 207.240246][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 207.246045][ C1] protocol 88fb is buggy, dev hsr_slave_1 14:49:01 executing program 5: syz_emit_ethernet(0x1, &(0x7f0000000040)=ANY=[@ANYBLOB="ffffffffffffaaaaaaaaaaaa86dd60f5f5ae0030670000000000000000000000ffffac9c14aaff02000000000000000000000000000102009078000000006081a8bf000000000000000000000000000000000000000100000000000000000000000000000001"], 0x0) 14:49:01 executing program 0: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000040)="0adc1f123c123f3188b070") r1 = syz_open_dev$sndctrl(&(0x7f0000006000)='/dev/snd/controlC#\x00', 0x0, 0x0) ioctl$SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE(r1, 0x40045532, &(0x7f00000001c0)) openat$audio(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/audio\x00', 0x0, 0x0) 14:49:01 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000001440)='/dev/binder#\x00', 0xffffffffffffffff, 0x802) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000001a00)={0x0, 0x0, 0x0, 0x1, 0x0, &(0x7f0000001a80)='L'}) 14:49:01 executing program 1: r0 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$inet_tcp_int(r0, 0x6, 0x10000000013, &(0x7f0000d06000)=0x1, 0x4) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000000)='veth1\x00', 0x10) connect$inet(r0, &(0x7f00000000c0)={0x2, 0x0, @local}, 0x10) setsockopt$inet_tcp_int(r0, 0x6, 0x4000000000013, &(0x7f0000000180), 0x4) sendmmsg(r0, &(0x7f000000c780)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000004880)=[{0x10, 0x1}], 0x10}}], 0x1, 0x40) 14:49:01 executing program 4: r0 = socket$inet6_sctp(0xa, 0x10000000005, 0x84) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r0, 0x84, 0x1d, &(0x7f000095dff8)=ANY=[@ANYBLOB='\a\x00\x00\x00', @ANYRES32=0x0], 0x0) setsockopt$inet_sctp6_SCTP_MAX_BURST(r0, 0x84, 0x14, &(0x7f0000000000)=@assoc_value={r1}, 0x8) 14:49:01 executing program 3: socket$inet6(0xa, 0x3, 0x6) fdatasync(0xffffffffffffff9c) socket$inet6(0xa, 0x1000000000002, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sendmsg$IPVS_CMD_DEL_DEST(0xffffffffffffffff, &(0x7f0000000580)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x4}, 0xc, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="9287b748246deeca588edacd5c1cc596a848a41b96d72d9ff1ffcd245d4623bea592fa911a59141ad79770daa350bbd501b4cb95cf19700700000000000000625d08ef137426f4997e282f68591512c4636d34e1d3cc668e8b4f8843a8485590d2eacc2773f295290a92d6f061f3d87a22968a81d80da9a6c39f5c7aa09f49456049763d7bb11d1171be83d26f047ce47c565dbf107ab9605a473e04c7e779a0c244ca4388df158abb"], 0x1}, 0x1, 0x0, 0x0, 0x90}, 0xfffffffffffffffd) r0 = socket$inet6(0xa, 0x6, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20}, 0x1c) r1 = socket$inet_dccp(0x2, 0x6, 0x0) listen(r0, 0x6) setsockopt(r1, 0x10d, 0x800000000d, &(0x7f00001c9fff)="03", 0x1) connect$inet(r1, &(0x7f0000e5c000)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x20}}, 0x10) r2 = accept(r0, 0x0, &(0x7f00000001c0)=0x281) sendmmsg(r1, &(0x7f0000005700)=[{{&(0x7f0000003900)=@pptp, 0x80, &(0x7f0000003b80), 0x3a5, &(0x7f0000003bc0), 0x72}}], 0x3a6, 0x0) setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000100)='erspan0\x00', 0xfc) sendmmsg(r1, &(0x7f000000a080)=[{{&(0x7f0000005440)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x2, {0xa, 0x0, 0x0, @ipv4={[], [], @local}}}}, 0x80, &(0x7f0000005640)=[{&(0x7f00000097c0)="bf", 0x1}], 0x1, 0x0, 0x0, 0x1}}], 0x1, 0x0) 14:49:01 executing program 1: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") r1 = bpf$MAP_CREATE(0x0, &(0x7f00000001c0)={0x14, 0x4, 0x4, 0x7}, 0x2c) bpf$MAP_LOOKUP_ELEM(0x4, &(0x7f0000000040)={r1, &(0x7f0000000000), 0x0}, 0x18) 14:49:01 executing program 2: r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) bind$bt_l2cap(r0, &(0x7f00000000c0), 0xe) listen(r0, 0x0) setsockopt$sock_linger(r0, 0x1, 0xd, &(0x7f0000000000)={0x1, 0x1000}, 0x8) shutdown(r0, 0x0) 14:49:01 executing program 4: clone(0x8000003002001ffe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() wait4(0x0, 0x0, 0x80000000, 0x0) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x38) ptrace$cont(0x18, r0, 0x0, 0x0) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000040)="0adc1f123c12a41d88b070") syz_emit_ethernet(0x0, 0x0, 0x0) ioctl$BLKTRACESETUP(0xffffffffffffffff, 0xc0481273, &(0x7f00000000c0)={[], 0x0, 0x0, 0x0, 0x0, 0xa9}) ptrace$setregs(0xd, r0, 0x0, &(0x7f0000000080)) ptrace$cont(0x20, r0, 0x0, 0x0) 14:49:01 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000000c0)='memory.events\x00', 0x26e1, 0x0) r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='memory.events\x00', 0x7a05, 0x1700) write$cgroup_subtree(r0, &(0x7f0000000680)=ANY=[@ANYRES32=r1], 0x4) write$cgroup_subtree(r1, &(0x7f0000000000)=ANY=[], 0xfffffcbe) getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(r0, 0x84, 0x75, &(0x7f0000000100)={0x0, 0x2}, &(0x7f00000001c0)=0x8) getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r1, 0x84, 0x77, &(0x7f0000000200)={r2, 0x3b32, 0x4, [0x8, 0xfffffffffffffffb, 0x9, 0x1f]}, &(0x7f00000002c0)=0x10) sendmsg$TIPC_CMD_SET_LINK_PRI(r1, &(0x7f0000000600)={&(0x7f00000004c0)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f00000005c0)={&(0x7f0000000580)={0x30, 0x0, 0x320, 0x70bd26, 0x25dfdbfe, {{}, 0x0, 0x4108, 0x0, {0x14, 0x18, {0x80, @bearer=@udp='udp:syz0\x00'}}}, [""]}, 0x30}, 0x1, 0x0, 0x0, 0x4000004}, 0x24000090) r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000540)='memory.events\x00', 0x0, 0x0) r4 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$nl_netfilter(r4, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000180)=ANY=[@ANYBLOB="140000000301ffff808fdb003d88c8f00010ae1b"], 0x14}}, 0x0) recvmmsg(r4, &(0x7f00000013c0), 0x4a5, 0x200002, &(0x7f0000000c40)={0x77359400}) getsockopt$sock_int(r4, 0x1, 0x3c, &(0x7f0000000300), &(0x7f0000000340)=0x4) epoll_ctl$EPOLL_CTL_MOD(r1, 0x3, r3, &(0x7f00000006c0)={0x20000000}) getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000000380)={{{@in=@dev, @in6=@dev}}, {{@in6}, 0x0, @in=@loopback}}, &(0x7f0000000480)=0xe8) 14:49:01 executing program 0: perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0xee67, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) clone(0xbfff, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff) r0 = gettid() r1 = creat(&(0x7f0000000140)='./bus\x00', 0x0) ioctl$EXT4_IOC_GROUP_ADD(r1, 0x40286608, &(0x7f0000000000)) ptrace$setopts(0x4206, r0, 0x0, 0x0) tkill(r0, 0x17) wait4(0x0, 0x0, 0x0, 0x0) 14:49:01 executing program 4: bind$alg(0xffffffffffffffff, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f00000001c0)) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) openat$rfkill(0xffffffffffffff9c, 0x0, 0x0, 0x0) sendmsg$SEG6_CMD_GET_TUNSRC(0xffffffffffffffff, 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000005fd4)=[@acquire_done={0x40486311}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper], 0x1, 0x0, &(0x7f0000000040)="f0"}) setsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, 0x0, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0x4c, 0x0, &(0x7f0000000300)=[@reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 14:49:01 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000040)={'sit0\x00'}) socketpair(0x0, 0x0, 0x0, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f00000000c0)={'sit0\x00\x00\xfe\x00\x00\x00\x00\x00\xc0\xfe\a\x00', 0x141}) [ 207.598421][ T8041] EXT4-fs warning (device sda1): ext4_group_add:1643: No reserved GDT blocks, can't resize [ 207.630701][ T8043] EXT4-fs warning (device sda1): ext4_group_add:1643: No reserved GDT blocks, can't resize 14:49:01 executing program 1: r0 = socket(0x2, 0x1, 0x0) listen(r0, 0x0) r1 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r0, &(0x7f0000009ff4)) accept4(r0, 0x0, 0x0, 0x0) epoll_wait(r1, &(0x7f000000cff0)=[{}], 0x1, 0xfffffffffffffff7) shutdown(r0, 0x0) [ 207.720016][ T8048] binder: 8046:8048 ERROR: BC_REGISTER_LOOPER called without request [ 207.744194][ T8048] binder: 8046:8048 ioctl c018620b 0 returned -14 [ 207.755181][ T8048] binder_alloc: 8046: binder_alloc_buf, no vma 14:49:01 executing program 0: r0 = socket$packet(0x11, 0x100000000000003, 0x300) setsockopt$packet_int(r0, 0x107, 0xf, &(0x7f0000006ffc)=0x200, 0xfe61) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000004500)={'bridge0\x00', 0x0}) bind$packet(r0, &(0x7f0000000640)={0x11, 0x0, r1, 0x1, 0x0, 0x6, @random="32cae4783d32"}, 0x14) sendto$inet6(r0, &(0x7f0000000100)="050300000300000000000000c52cf7c21975e697b02f08066b2b2ff0dac8897c6b1187dc13e973a13dd84f04ca1e6d886b6621d8d217cc21e5c8a986f99f4b07d099369a900002aaff41a396f5bad192bcf5cf74755f97fee2b1849884aff2a9b47fac839b362d1393a60c472d24eb19db02bff75cd9c3625ea9da2d78eb600d73fd0b4d01a620ea250619f06765752199e3ae3367c8b7a2a3ab2e1ec40fe7af714c806b5e866bb20f0d298c9566aaf9551c7908de2ed285f414af9f32fcd32000ac8f2457ba0d9159f9e945e8df0b7ca79000e48cf839080d3108355020a5cb57d6933c8384612d250e025e0ff13768c2dbe79834a4b8687891d58b18314b52c7caa3c4847139c1407e1ad3a40b2eeafe2a91d855b29f546b339d1c32fc652c68a83d0973b44c1d801aa3036680c948d1c1f4451e9c96686c248b70b719bed51c38a9257c5ff4700200"/343, 0x157, 0x0, 0x0, 0x0) [ 207.772702][ T8048] binder: 8046:8048 transaction failed 29189/-3, size 0-0 line 3148 [ 207.810761][ T8048] binder: send failed reply for transaction 6 to 8046:8048 [ 207.843790][ T8061] binder_alloc: binder_alloc_mmap_handler: 8046 20001000-20004000 already mapped failed -16 [ 207.879700][ T8060] binder: BINDER_SET_CONTEXT_MGR already set [ 207.894839][ T8060] binder: 8046:8060 ioctl 40046207 0 returned -16 [ 207.917743][ T8061] binder_alloc: 8046: binder_alloc_buf, no vma 14:49:01 executing program 1: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_TIOCINQ(0xffffffffffffffff, 0x541b, 0x0) dup2(r0, r1) setsockopt$inet6_MCAST_LEAVE_GROUP(0xffffffffffffffff, 0x29, 0x2d, 0x0, 0xffffffffffffffd1) recvfrom$unix(r0, &(0x7f00000001c0)=""/94, 0x5e, 0x100, 0x0, 0x0) 14:49:01 executing program 0: perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000080)={0xffffffffffffffff, 0x0, &(0x7f0000000140)="40c74adc7724e27d876f441d952bf111375896d876c4ed0f2e703cd5f8b64ff3cd946b507daea1c09fc1fe6c"}, 0x20) r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400)='/dev/net/tun\x00', 0x2, 0x0) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000180)={'nr0\x01\x00', 0x4009}) bpf$BPF_PROG_GET_NEXT_ID(0xb, 0x0, 0x0) ioctl$TUNSETVNETHDRSZ(0xffffffffffffffff, 0x400454d8, 0x0) write$cgroup_subtree(r0, &(0x7f00000000c0)={[{0x0, 'c\x86\xdd', 0x8}]}, 0xfdef) [ 207.942696][ T8055] device sit0 entered promiscuous mode [ 207.955984][ T8061] binder: 8046:8061 transaction failed 29189/-3, size 0-0 line 3148 [ 208.007073][ T8048] binder: 8046:8048 ioctl c018620b 0 returned -14 [ 208.031880][ T8068] binder: 8046:8068 got reply transaction with no transaction stack [ 208.073630][ T8068] binder: 8046:8068 transaction failed 29201/-71, size 0-0 line 2900 14:49:01 executing program 3: socket$inet6(0xa, 0x3, 0x6) fdatasync(0xffffffffffffff9c) socket$inet6(0xa, 0x1000000000002, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sendmsg$IPVS_CMD_DEL_DEST(0xffffffffffffffff, &(0x7f0000000580)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x4}, 0xc, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="9287b748246deeca588edacd5c1cc596a848a41b96d72d9ff1ffcd245d4623bea592fa911a59141ad79770daa350bbd501b4cb95cf19700700000000000000625d08ef137426f4997e282f68591512c4636d34e1d3cc668e8b4f8843a8485590d2eacc2773f295290a92d6f061f3d87a22968a81d80da9a6c39f5c7aa09f49456049763d7bb11d1171be83d26f047ce47c565dbf107ab9605a473e04c7e779a0c244ca4388df158abb"], 0x1}, 0x1, 0x0, 0x0, 0x90}, 0xfffffffffffffffd) r0 = socket$inet6(0xa, 0x6, 0x0) bind$inet6(r0, &(0x7f0000000000)={0xa, 0x4e20}, 0x1c) r1 = socket$inet_dccp(0x2, 0x6, 0x0) listen(r0, 0x6) setsockopt(r1, 0x10d, 0x800000000d, &(0x7f00001c9fff)="03", 0x1) connect$inet(r1, &(0x7f0000e5c000)={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x20}}, 0x10) r2 = accept(r0, 0x0, &(0x7f00000001c0)=0x281) sendmmsg(r1, &(0x7f0000005700)=[{{&(0x7f0000003900)=@pptp, 0x80, &(0x7f0000003b80), 0x3a5, &(0x7f0000003bc0), 0x72}}], 0x3a6, 0x0) setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000100)='erspan0\x00', 0xfc) sendmmsg(r1, &(0x7f000000a080)=[{{&(0x7f0000005440)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x2, {0xa, 0x0, 0x0, @ipv4={[], [], @local}}}}, 0x80, &(0x7f0000005640)=[{&(0x7f00000097c0)="bf", 0x1}], 0x1, 0x0, 0x0, 0x1}}], 0x1, 0x0) 14:49:01 executing program 1: bind$alg(0xffffffffffffffff, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0)='/dev/rfkill\x00', 0x0, 0x0) sendmsg$SEG6_CMD_GET_TUNSRC(0xffffffffffffffff, 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000005fd4)=[@acquire_done={0x40486311}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper], 0x1, 0x0, &(0x7f0000000040)="f0"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0x4c, 0x0, &(0x7f0000000300)=[@reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 14:49:01 executing program 4: bind$alg(0xffffffffffffffff, 0x0, 0x0) r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, &(0x7f00000001c0)) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) openat$rfkill(0xffffffffffffff9c, 0x0, 0x0, 0x0) sendmsg$SEG6_CMD_GET_TUNSRC(0xffffffffffffffff, 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000005fd4)=[@acquire_done={0x40486311}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper], 0x1, 0x0, &(0x7f0000000040)="f0"}) setsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, 0x0, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0x4c, 0x0, &(0x7f0000000300)=[@reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 208.255569][ T8081] binder: BINDER_SET_CONTEXT_MGR already set [ 208.293626][ T8081] binder: 8079:8081 ioctl 40046207 0 returned -16 [ 208.312218][ T8084] binder_alloc: 8046: binder_alloc_buf, no vma [ 208.316795][ T8078] binder: BINDER_SET_CONTEXT_MGR already set [ 208.333611][ T8084] binder: 8079:8084 transaction failed 29189/-3, size 0-0 line 3148 [ 208.368267][ T8078] binder: 8077:8078 ioctl 40046207 0 returned -16 [ 208.369170][ T8085] binder_alloc: 8046: binder_alloc_buf, no vma [ 208.381464][ T8081] binder: 8079:8081 ERROR: BC_REGISTER_LOOPER called without request [ 208.411226][ T8078] binder: 8077:8078 ERROR: BC_REGISTER_LOOPER called without request [ 208.423502][ T8085] binder: 8077:8085 transaction failed 29189/-3, size 0-0 line 3148 [ 208.445730][ T8084] binder: 8079:8084 ioctl c018620b 0 returned -14 [ 208.464880][ T8085] binder: 8077:8085 got reply transaction with no transaction stack [ 208.475685][ T8085] binder: 8077:8085 transaction failed 29201/-71, size 0-0 line 2900 [ 208.494114][ T8084] binder: 8079:8084 got reply transaction with no transaction stack [ 208.508318][ T8084] binder: 8079:8084 transaction failed 29201/-71, size 0-0 line 2900 14:49:02 executing program 5: ioctl$SG_GET_PACK_ID(0xffffffffffffffff, 0x227c, &(0x7f0000000180)) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10) r1 = openat$full(0xffffffffffffff9c, 0x0, 0x800, 0x0) r2 = accept$alg(r0, 0x0, 0x0) ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffffff, 0x8933, &(0x7f0000000340)={'vcan0\x00'}) sendmsg$alg(r2, &(0x7f0000001380)={0x0, 0x0, 0x0, 0x0, &(0x7f00000000c0)=[@op={0x18, 0x117, 0x3, 0x1}, @assoc={0x18, 0x117, 0x4, 0x2f5}], 0x30}, 0x0) write$binfmt_script(r2, &(0x7f0000000600)=ANY=[], 0xfec8) recvmmsg(r2, &(0x7f0000007e00)=[{{&(0x7f0000001240)=@alg, 0x80, &(0x7f0000004700)=[{&(0x7f00000012c0)=""/167, 0xf}, {&(0x7f00000023c0)=""/49, 0x200023f1}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x3, &(0x7f0000004780)=""/245, 0xf5}}], 0x30, 0x0, &(0x7f0000008000)={0x0, 0x989680}) ioctl$KVM_PPC_GET_PVINFO(r1, 0x4080aea1, &(0x7f0000000100)=""/4) [ 208.600340][ T26] kauditd_printk_skb: 743 callbacks suppressed [ 208.600353][ T26] audit: type=1800 audit(1554648542.294:40): pid=8058 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor.5" name="memory.events" dev="sda1" ino=16545 res=0 [ 208.765551][ T7921] binder: undelivered TRANSACTION_ERROR: 29189 [ 208.771944][ T8053] device sit0 left promiscuous mode [ 208.779376][ T7921] binder: undelivered TRANSACTION_ERROR: 29201 [ 208.785882][ T7921] binder: undelivered TRANSACTION_COMPLETE [ 208.809008][ T7921] binder: undelivered TRANSACTION_ERROR: 29189 14:49:02 executing program 5: socket$inet(0x2, 0x3, 0x7) r0 = socket$netlink(0x10, 0x3, 0x4) sendmsg$nl_generic(r0, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee667f000001fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0) 14:49:02 executing program 2: r0 = socket$inet(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000000000)={0x2, 0x4e23, @local}, 0x10) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23}, 0x10) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) timer_create(0x0, 0x0, 0x0) times(0x0) syz_open_procfs(0x0, 0x0) fcntl$getown(0xffffffffffffffff, 0x9) tkill(0x0, 0x0) sendmsg(0xffffffffffffffff, 0x0, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) preadv(0xffffffffffffffff, 0x0, 0x0, 0x0) fcntl$dupfd(0xffffffffffffffff, 0x0, 0xffffffffffffffff) ioctl$EVIOCGPROP(0xffffffffffffffff, 0x80404509, 0x0) timer_create(0x0, 0x0, 0x0) syz_extract_tcp_res(0x0, 0x0, 0x0) timer_create(0x0, 0x0, 0x0) timer_create(0x0, 0x0, 0x0) timer_create(0x0, 0x0, 0x0) timer_create(0x0, 0x0, 0x0) timer_create(0x0, 0x0, 0x0) timer_delete(0x0) syz_open_procfs(0x0, 0x0) ioctl$TUNSETVNETLE(0xffffffffffffffff, 0x400454dc, 0x0) setsockopt$inet_tcp_TCP_FASTOPEN_KEY(0xffffffffffffffff, 0x6, 0x21, 0x0, 0xffffffffffffff69) ioctl$TIOCGSID(0xffffffffffffffff, 0x5429, 0x0) r2 = syz_open_procfs(0x0, &(0x7f0000000400)='net/tcp\x00\xcdWq\xe9*\a4g\a^\x90\xb6\xe4kH2\x80/\x88\xb6\xbb\xeb`\xb8@#\x83tH\xae\xa4y\x1d\\]\x93\x93\xb5e\xd9\xd4\xb8A# \xc8*s\xd0g>\x16\xabM\x7foK\xec\x17f\xb9x\x11\xbf\xab\x16\xc5\xcb\x94\xff\x1c\xa0\x01\xb3I\x1c\xb9\xcc\xbb\xbe\x9c\xd0!\x13\xe1\xbc.\xfaG3\x85\xe0,') sendfile(r0, r2, &(0x7f0000000080), 0x80000003) 14:49:02 executing program 5: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f00000000c0)=0x100000001, 0x1d4) connect$inet6(r0, &(0x7f0000000080), 0x1c) sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000003c80)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000140)=ANY=[@ANYBLOB], 0x1}, 0x8}, 0x0) setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f0000000040)='tls\x00', 0x4) setsockopt$inet6_tcp_TLS_TX(r0, 0x11a, 0x2, &(0x7f0000000100), 0x28) recvmmsg(r0, &(0x7f0000002fc0)=[{{0x0, 0x0, &(0x7f0000002a80)=[{&(0x7f0000000280)=""/124, 0x7c}], 0x1}}], 0x1, 0x0, 0x0) shutdown(r0, 0x0) [ 209.031717][ T8085] binder_alloc: binder_alloc_mmap_handler: 8077 20001000-20004000 already mapped failed -16 14:49:02 executing program 4: r0 = socket(0x4000000000010, 0x80002, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)=@newlink={0x38, 0x10, 0xf0b, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x18, 0x12, @gre={{0x8, 0x1, 'gre\x00'}, {0xc, 0x2, [@IFLA_GRE_LOCAL={0x8, 0x2}]}}}]}, 0x38}}, 0x0) sendmmsg$alg(r0, &(0x7f0000000140), 0x4924924924928bb, 0x0) 14:49:02 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$cgroup(0xffffffffffffff9c, &(0x7f00000002c0)='syz1\x00', 0x200002, 0x0) r1 = openat$cgroup_ro(r0, 0x0, 0x0, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000300)) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x100}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000180)='memory.events\x00', 0x26e1, 0x0) r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x7a05, 0x1700) ioctl$TUNGETSNDBUF(r1, 0x800454d3, 0x0) bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000600)={r1, 0xc0, &(0x7f0000000540)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000440)=0x9, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, &(0x7f0000000480)={0x0, 0x5e, 0x1, 0x3}, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000500)=0x64}}, 0x10) bpf$BPF_PROG_GET_FD_BY_ID(0xd, &(0x7f0000000640)=r5, 0x4) bpf$BPF_GET_BTF_INFO(0xf, &(0x7f00000008c0)={0xffffffffffffffff, 0x10, &(0x7f0000000880)={&(0x7f0000000240)=""/15, 0xf}}, 0x10) r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='memory.events\x00', 0x7a05, 0x1700) perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x44a95, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x80) write$cgroup_subtree(r3, &(0x7f0000000540)=ANY=[], 0x22b5) ioctl$PERF_EVENT_IOC_PERIOD(r6, 0x4030582a, &(0x7f0000000040)) write$cgroup_pid(r4, &(0x7f0000000000), 0x200) openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x7a05, 0x1700) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000200)={0x0, r2, 0x0, 0x2, &(0x7f0000000100)=']\x00', 0xffffffffffffffff}, 0x30) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000280)={0x0, r2, 0x0, 0x2, &(0x7f00000000c0)=':\x00', r8}, 0x30) perf_event_open(&(0x7f00000006c0)={0x2, 0x70, 0x0, 0x422641d6, 0x100, 0x5, 0x0, 0x3ff, 0x80400, 0x0, 0x3, 0x0, 0x3, 0x4, 0x1, 0x0, 0x1067, 0x0, 0x6, 0x3, 0x2, 0x3, 0x5, 0x80000000, 0xffffffffffff2022, 0x4, 0x0, 0x160, 0x3, 0xbb, 0x0, 0x4, 0x40, 0x0, 0x5, 0x10001, 0xb5e3, 0x0, 0x0, 0x5, 0x4, @perf_config_ext={0x5, 0x7}, 0x4, 0x8, 0x6, 0x7, 0x1, 0x101, 0x1}, r7, 0xffffffffffffffff, r1, 0x2) perf_event_open(&(0x7f00000003c0)={0x3, 0x70, 0x0, 0x4f1, 0x9, 0x0, 0x0, 0x0, 0x4000, 0xc, 0x497, 0x4ba, 0x9, 0x1, 0x5, 0x4, 0x7, 0x96, 0x1000, 0x1ff, 0x8, 0x0, 0x0, 0xff, 0x1ff, 0x5, 0x8, 0xffffffff00000000, 0xbf, 0x4, 0x800, 0x9, 0x20, 0x9f, 0x0, 0x8, 0xcfa, 0x81, 0x0, 0xfffffffffffffffc, 0x6, @perf_bp={0x0, 0x4}, 0x1200, 0x0, 0x0, 0xf, 0x33bab925, 0x2, 0x3f}, 0x0, 0x10, 0xffffffffffffffff, 0x2) [ 209.095227][ T8104] binder_alloc: 8077: binder_alloc_buf, no vma [ 209.109456][ T8107] tls_set_device_offload_rx: netdev lo with no TLS offload [ 209.118133][ T8104] binder: 8077:8104 transaction failed 29189/-3, size 0-0 line 3148 [ 209.169572][ T8085] binder: 8077:8085 ERROR: BC_REGISTER_LOOPER called without request [ 209.207005][ T8117] binder: 8077:8117 got reply transaction with no transaction stack 14:49:02 executing program 1: bind$alg(0xffffffffffffffff, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0)='/dev/rfkill\x00', 0x0, 0x0) sendmsg$SEG6_CMD_GET_TUNSRC(0xffffffffffffffff, 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000005fd4)=[@acquire_done={0x40486311}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper], 0x1, 0x0, &(0x7f0000000040)="f0"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0x4c, 0x0, &(0x7f0000000300)=[@reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) [ 209.233044][ T8117] binder: 8077:8117 transaction failed 29201/-71, size 0-0 line 2900 [ 209.348772][ T8115] netlink: 'syz-executor.4': attribute type 2 has an invalid length. [ 209.372467][ T8112] BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor.5/8112 [ 209.382789][ T8112] caller is ip6_finish_output+0x335/0xdc0 [ 209.388592][ T8112] CPU: 1 PID: 8112 Comm: syz-executor.5 Not tainted 5.1.0-rc3-next-20190405 #19 [ 209.397628][ T8112] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 209.399279][ T8125] binder: BINDER_SET_CONTEXT_MGR already set [ 209.407695][ T8112] Call Trace: [ 209.407762][ T8112] dump_stack+0x172/0x1f0 [ 209.407791][ T8112] __this_cpu_preempt_check+0x246/0x270 [ 209.407815][ T8112] ip6_finish_output+0x335/0xdc0 [ 209.407840][ T8112] ip6_output+0x235/0x7f0 [ 209.407866][ T8112] ? ip6_finish_output+0xdc0/0xdc0 [ 209.441530][ T8112] ? ip6_fragment+0x3980/0x3980 [ 209.446417][ T8112] ip6_xmit+0xe41/0x20c0 [ 209.450692][ T8112] ? ip6_finish_output2+0x2550/0x2550 [ 209.456188][ T8112] ? mark_held_locks+0xf0/0xf0 [ 209.460974][ T8112] ? ip6_setup_cork+0x1870/0x1870 [ 209.466046][ T8112] inet6_csk_xmit+0x2fb/0x5d0 [ 209.469375][ T8125] binder: 8124:8125 ioctl 40046207 0 returned -16 [ 209.470742][ T8112] ? inet6_csk_update_pmtu+0x190/0x190 [ 209.470759][ T8112] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 209.470782][ T8112] ? csum_ipv6_magic+0x20/0x80 [ 209.470821][ T8112] __tcp_transmit_skb+0x1a32/0x3750 [ 209.495196][ T8128] binder_alloc: 8077: binder_alloc_buf, no vma [ 209.498970][ T8112] ? tcp_connect+0x1184/0x4280 [ 209.498994][ T8112] ? __tcp_select_window+0x8b0/0x8b0 [ 209.499008][ T8112] ? lockdep_hardirqs_on+0x418/0x5d0 [ 209.499032][ T8112] ? trace_hardirqs_on+0x67/0x230 [ 209.499055][ T8112] ? tcp_rbtree_insert+0x188/0x200 [ 209.530897][ T8112] tcp_connect+0x2e18/0x4280 [ 209.535517][ T8112] ? tcp_push_one+0x110/0x110 [ 209.540229][ T8112] ? secure_tcpv6_ts_off+0x24f/0x360 [ 209.542529][ T8129] binder: 8124:8129 ERROR: BC_REGISTER_LOOPER called without request [ 209.545532][ T8112] ? secure_dccpv6_sequence_number+0x280/0x280 [ 209.545548][ T8112] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 209.545563][ T8112] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 209.545585][ T8112] ? prandom_u32_state+0x13/0x180 [ 209.577338][ T8112] tcp_v6_connect+0x150b/0x20a0 [ 209.582225][ T8112] ? tcp_v6_conn_request+0x2b0/0x2b0 [ 209.587599][ T8112] __inet_stream_connect+0x83f/0xea0 [ 209.592931][ T8112] ? tcp_v6_conn_request+0x2b0/0x2b0 [ 209.598290][ T8112] ? __inet_stream_connect+0x83f/0xea0 [ 209.603781][ T8112] ? mark_held_locks+0xa4/0xf0 [ 209.608677][ T8112] ? inet_dgram_connect+0x2e0/0x2e0 [ 209.613900][ T8112] ? lock_sock_nested+0x9a/0x120 [ 209.619069][ T8112] ? trace_hardirqs_on+0x67/0x230 [ 209.620731][ T8131] netlink: 'syz-executor.4': attribute type 2 has an invalid length. [ 209.624114][ T8112] ? lock_sock_nested+0x9a/0x120 [ 209.624133][ T8112] ? __local_bh_enable_ip+0x15a/0x270 [ 209.624158][ T8112] inet_stream_connect+0x58/0xa0 [ 209.624179][ T8112] __sys_connect+0x266/0x330 [ 209.624198][ T8112] ? __ia32_sys_accept+0xb0/0xb0 [ 209.624223][ T8112] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 209.656781][ T8128] binder: 8124:8128 transaction failed 29189/-3, size 0-0 line 3148 [ 209.657049][ T8112] ? put_timespec64+0xda/0x140 [ 209.657076][ T8112] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 209.681928][ T8112] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 209.687413][ T8112] ? do_syscall_64+0x26/0x610 [ 209.692113][ T8112] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 209.694024][ T8125] binder: 8124:8125 got reply transaction with no transaction stack [ 209.698218][ T8112] ? do_syscall_64+0x26/0x610 [ 209.698243][ T8112] __x64_sys_connect+0x73/0xb0 [ 209.698262][ T8112] do_syscall_64+0x103/0x610 [ 209.698283][ T8112] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 209.698294][ T8112] RIP: 0033:0x4582b9 [ 209.698311][ T8112] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 209.698319][ T8112] RSP: 002b:00007f1ae77cbc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 209.698334][ T8112] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004582b9 [ 209.698353][ T8112] RDX: 000000000000001c RSI: 0000000020000080 RDI: 0000000000000004 [ 209.774920][ T8112] RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 209.782906][ T8112] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1ae77cc6d4 [ 209.790894][ T8112] R13: 00000000004be64c R14: 00000000004cf1e0 R15: 00000000ffffffff 14:49:03 executing program 0: r0 = socket$inet6_udplite(0xa, 0x2, 0x88) capset(&(0x7f0000000ac0)={0x19980330}, &(0x7f0000000b00)) r1 = add_key$user(&(0x7f0000000140)='user\x00', &(0x7f0000000180)={'syz'}, 0x0, 0x0, 0xffffffffffffffff) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000380)={0x0, 0x0, 0x0}, &(0x7f00000003c0)=0xc) keyctl$chown(0x4, r1, 0x0, r2) 14:49:03 executing program 2: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000100)="0adc1f123c123f3188b070") r1 = bpf$MAP_CREATE(0x0, &(0x7f00000001c0)={0x14, 0x4, 0x4, 0x7}, 0x2c) ioctl$sock_inet_SIOCSIFDSTADDR(0xffffffffffffffff, 0x8918, &(0x7f0000000000)={'ip6_vti0\x00', {0x2, 0x0, @loopback}}) bpf$MAP_LOOKUP_ELEM(0x4, &(0x7f0000000040)={r1, &(0x7f0000000000), 0x0}, 0x18) 14:49:03 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = openat$cgroup(0xffffffffffffff9c, &(0x7f00000002c0)='syz1\x00', 0x200002, 0x0) r1 = openat$cgroup_ro(r0, 0x0, 0x0, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000300)) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x100}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000180)='memory.events\x00', 0x26e1, 0x0) r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x7a05, 0x1700) ioctl$TUNGETSNDBUF(r1, 0x800454d3, 0x0) bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000600)={r1, 0xc0, &(0x7f0000000540)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000440)=0x9, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x0, 0x0, &(0x7f0000000480)={0x0, 0x5e, 0x1, 0x3}, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000500)=0x64}}, 0x10) bpf$BPF_PROG_GET_FD_BY_ID(0xd, &(0x7f0000000640)=r5, 0x4) bpf$BPF_GET_BTF_INFO(0xf, &(0x7f00000008c0)={0xffffffffffffffff, 0x10, &(0x7f0000000880)={&(0x7f0000000240)=""/15, 0xf}}, 0x10) r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='memory.events\x00', 0x7a05, 0x1700) perf_event_open(&(0x7f0000000040)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x44a95, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x80) write$cgroup_subtree(r3, &(0x7f0000000540)=ANY=[], 0x22b5) ioctl$PERF_EVENT_IOC_PERIOD(r6, 0x4030582a, &(0x7f0000000040)) write$cgroup_pid(r4, &(0x7f0000000000), 0x200) openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x7a05, 0x1700) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000200)={0x0, r2, 0x0, 0x2, &(0x7f0000000100)=']\x00', 0xffffffffffffffff}, 0x30) bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000280)={0x0, r2, 0x0, 0x2, &(0x7f00000000c0)=':\x00', r8}, 0x30) perf_event_open(&(0x7f00000006c0)={0x2, 0x70, 0x0, 0x422641d6, 0x100, 0x5, 0x0, 0x3ff, 0x80400, 0x0, 0x3, 0x0, 0x3, 0x4, 0x1, 0x0, 0x1067, 0x0, 0x6, 0x3, 0x2, 0x3, 0x5, 0x80000000, 0xffffffffffff2022, 0x4, 0x0, 0x160, 0x3, 0xbb, 0x0, 0x4, 0x40, 0x0, 0x5, 0x10001, 0xb5e3, 0x0, 0x0, 0x5, 0x4, @perf_config_ext={0x5, 0x7}, 0x4, 0x8, 0x6, 0x7, 0x1, 0x101, 0x1}, r7, 0xffffffffffffffff, r1, 0x2) perf_event_open(&(0x7f00000003c0)={0x3, 0x70, 0x0, 0x4f1, 0x9, 0x0, 0x0, 0x0, 0x4000, 0xc, 0x497, 0x4ba, 0x9, 0x1, 0x5, 0x4, 0x7, 0x96, 0x1000, 0x1ff, 0x8, 0x0, 0x0, 0xff, 0x1ff, 0x5, 0x8, 0xffffffff00000000, 0xbf, 0x4, 0x800, 0x9, 0x20, 0x9f, 0x0, 0x8, 0xcfa, 0x81, 0x0, 0xfffffffffffffffc, 0x6, @perf_bp={0x0, 0x4}, 0x1200, 0x0, 0x0, 0xf, 0x33bab925, 0x2, 0x3f}, 0x0, 0x10, 0xffffffffffffffff, 0x2) 14:49:03 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0) r2 = openat(0xffffffffffffff9c, 0x0, 0x200, 0x10) sendmsg$SEG6_CMD_GET_TUNSRC(r2, 0x0, 0x1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000005fd4)=[@acquire_done={0x40486311}], 0x0, 0x0, &(0x7f0000000680)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper], 0x1, 0x0, &(0x7f0000000040)="f0"}) setsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, &(0x7f0000000100)={0x0, @local, @initdev={0xac, 0x1e, 0x1, 0x0}}, 0xc) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) 14:49:03 executing program 1: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0) perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_GET_REG_LIST(0xffffffffffffffff, 0xc008aeb0, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000028000/0x18000)=nil, &(0x7f0000000140)=[@textreal={0x8, 0x0}], 0x1, 0x0, 0x0, 0xffffffffffffff1d) 14:49:03 executing program 2: mkdir(&(0x7f0000000180)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000140)='./file0\x00', &(0x7f00000001c0)='tmpfs\x00', 0x0, 0x0) mkdir(&(0x7f0000000040)='./file0/file1\x00', 0x0) rename(&(0x7f0000000100)='./file0/file1\x00', &(0x7f0000000240)='./file0/file0\x00') 14:49:03 executing program 4: r0 = socket$netlink(0x10, 0x3, 0x4) sendmsg$nl_generic(r0, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000140)=ANY=[@ANYBLOB="48000000140007000081a31d363a15441e1068c19369c9a32c0000000000000002ff00cff97465821b0965512fe4fa59a835ee667f000001fd3953ffee03d79dc442c6bbe736864e2c42293abfaf4abb743d55a7374efe000000"], 0x1}}, 0x0) [ 210.058040][ T8147] binder_alloc: 8077: binder_alloc_buf, no vma [ 210.096427][ T8147] binder: 8146:8147 ERROR: BC_REGISTER_LOOPER called without request 14:49:03 executing program 4: recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58) prctl$PR_GET_FP_MODE(0x2e) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10) openat$full(0xffffffffffffff9c, 0x0, 0x800, 0x0) clock_gettime(0x0, &(0x7f0000000900)) r1 = accept$alg(r0, 0x0, 0x0) ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffffff, 0x8933, &(0x7f0000000340)={'vcan0\x00'}) ioctl$SG_GET_COMMAND_Q(0xffffffffffffffff, 0x2270, &(0x7f00000002c0)) sendmsg$alg(r1, &(0x7f0000001380)={0x0, 0x0, 0x0, 0x0, &(0x7f00000000c0)=[@op={0x18, 0x117, 0x3, 0x1}, @assoc={0x18, 0x117, 0x4, 0x2f5}], 0x30}, 0x0) write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8) recvmmsg(r1, &(0x7f0000007e00)=[{{0x0, 0x0, &(0x7f0000004700)=[{&(0x7f00000012c0)=""/167, 0xa7}, {0x0}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x3, &(0x7f0000004780)=""/245, 0xf5}}], 0x1, 0x0, &(0x7f0000008000)={0x0, 0x989680}) [ 210.177392][ T8156] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 210.200425][ T8159] binder_alloc: 8077: binder_alloc_buf, no vma 14:49:04 executing program 5: r0 = socket$inet_udp(0x2, 0x2, 0x0) ioctl(r0, 0x1000008912, &(0x7f0000000080)="0adc5f123c123f319bd070") r1 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup\x00', 0x200002, 0x0) r2 = openat$cgroup_ro(r1, &(0x7f0000000000)='cgroup.controllers\x00', 0x275a, 0x0) ftruncate(r2, 0x0) 14:49:04 executing program 2: r0 = socket$inet(0xa, 0x801, 0x0) getsockopt$ARPT_SO_GET_REVISION_TARGET(r0, 0x0, 0x63, &(0x7f0000000100)={'icmp\x00'}, &(0x7f0000000140)=0x1e) 14:49:04 executing program 0: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$TIOCGPGRP(0xffffffffffffffff, 0x540f, 0x0) r2 = openat(0xffffffffffffff9c, 0x0, 0x200, 0x10) sendmsg$SEG6_CMD_GET_TUNSRC(r2, 0x0, 0x1) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000180)={0x14, 0x0, &(0x7f0000005fd4)=[@acquire_done={0x40486311}], 0x0, 0x0, &(0x7f0000000680)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000000)=[@register_looper], 0x1, 0x0, &(0x7f0000000040)="f0"}) setsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, &(0x7f0000000100)={0x0, @local, @initdev={0xac, 0x1e, 0x1, 0x0}}, 0xc) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, 0x0}) 14:49:04 executing program 3: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(r0, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x100000000000024d, 0x0) r1 = syz_open_procfs(0x0, &(0x7f0000000080)='cpuset\x00') openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cachefiles\x00', 0x0, 0x0) preadv(r1, &(0x7f0000000480), 0x1000000000000237, 0x0) [ 210.534645][ T8174] binder_alloc: 8077: binder_alloc_buf, no vma 14:49:04 executing program 4: recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58) prctl$PR_GET_FP_MODE(0x2e) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10) openat$full(0xffffffffffffff9c, 0x0, 0x800, 0x0) clock_gettime(0x0, &(0x7f0000000900)) r1 = accept$alg(r0, 0x0, 0x0) ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffffff, 0x8933, &(0x7f0000000340)={'vcan0\x00'}) ioctl$SG_GET_COMMAND_Q(0xffffffffffffffff, 0x2270, &(0x7f00000002c0)) sendmsg$alg(r1, &(0x7f0000001380)={0x0, 0x0, 0x0, 0x0, &(0x7f00000000c0)=[@op={0x18, 0x117, 0x3, 0x1}, @assoc={0x18, 0x117, 0x4, 0x2f5}], 0x30}, 0x0) write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8) recvmmsg(r1, &(0x7f0000007e00)=[{{0x0, 0x0, &(0x7f0000004700)=[{&(0x7f00000012c0)=""/167, 0xa7}, {0x0}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x3, &(0x7f0000004780)=""/245, 0xf5}}], 0x1, 0x0, &(0x7f0000008000)={0x0, 0x989680}) [ 210.586326][ T8174] binder: 8173:8174 ERROR: BC_REGISTER_LOOPER called without request 14:49:04 executing program 3: recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58) prctl$PR_GET_FP_MODE(0x2e) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10) openat$full(0xffffffffffffff9c, 0x0, 0x800, 0x0) clock_gettime(0x0, &(0x7f0000000900)) r1 = accept$alg(r0, 0x0, 0x0) ioctl$ifreq_SIOCGIFINDEX_vcan(0xffffffffffffffff, 0x8933, &(0x7f0000000340)={'vcan0\x00'}) ioctl$SG_GET_COMMAND_Q(0xffffffffffffffff, 0x2270, &(0x7f00000002c0)) sendmsg$alg(r1, &(0x7f0000001380)={0x0, 0x0, 0x0, 0x0, &(0x7f00000000c0)=[@op={0x18, 0x117, 0x3, 0x1}, @assoc={0x18, 0x117, 0x4, 0x2f5}], 0x30}, 0x0) write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8) recvmmsg(r1, &(0x7f0000007e00)=[{{0x0, 0x0, &(0x7f0000004700)=[{&(0x7f00000012c0)=""/167, 0xa7}, {0x0}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x3, &(0x7f0000004780)=""/245, 0xf5}}], 0x1, 0x0, &(0x7f0000008000)={0x0, 0x989680}) 14:49:04 executing program 0: 14:49:04 executing program 5: r0 = socket$inet_udp(0x2, 0x2, 0x0) ioctl(r0, 0x1000008912, &(0x7f0000000080)="0adc5f123c123f319bd070") r1 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup\x00', 0x200002, 0x0) r2 = openat$cgroup_ro(r1, &(0x7f0000000000)='cgroup.controllers\x00', 0x275a, 0x0) ftruncate(r2, 0x0) [ 211.351376][ T2888] binder: undelivered TRANSACTION_ERROR: 29189 [ 211.357655][ T2888] binder: undelivered TRANSACTION_ERROR: 29189 [ 211.363937][ T2888] binder: undelivered TRANSACTION_ERROR: 29189 [ 211.370173][ T2888] binder: undelivered TRANSACTION_ERROR: 29201 [ 211.376357][ T2888] binder: undelivered TRANSACTION_ERROR: 29189 [ 211.382705][ T2888] binder: undelivered TRANSACTION_ERROR: 29201 [ 211.389002][ T2888] binder: undelivered TRANSACTION_ERROR: 29189 [ 211.395186][ T2888] binder: undelivered TRANSACTION_ERROR: 29201 14:49:05 executing program 1: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10) r1 = accept$alg(r0, 0x0, 0x0) write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8) recvmmsg(r1, &(0x7f0000007e00)=[{{&(0x7f0000001240)=@alg, 0x80, &(0x7f0000004700)=[{&(0x7f00000012c0)=""/167, 0xf}, {&(0x7f00000023c0)=""/49, 0x200023f1}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x3, &(0x7f0000004780)=""/245, 0xf5}}], 0x30, 0x0, &(0x7f0000008000)={0x0, 0x989680}) 14:49:05 executing program 4: 14:49:05 executing program 0: 14:49:05 executing program 5: 14:49:05 executing program 3: [ 211.401475][ T2888] binder: undelivered TRANSACTION_ERROR: 29189 [ 211.407729][ T2888] binder: undelivered TRANSACTION_ERROR: 29201 14:49:05 executing program 2: 14:49:05 executing program 3: 14:49:05 executing program 0: 14:49:05 executing program 4: 14:49:05 executing program 5: 14:49:05 executing program 3: 14:49:05 executing program 0: 14:49:05 executing program 1: 14:49:05 executing program 5: 14:49:05 executing program 4: 14:49:05 executing program 2: 14:49:05 executing program 4: 14:49:05 executing program 1: 14:49:05 executing program 0: 14:49:05 executing program 3: 14:49:05 executing program 5: 14:49:05 executing program 0: 14:49:05 executing program 1: 14:49:05 executing program 4: 14:49:05 executing program 5: 14:49:05 executing program 2: 14:49:05 executing program 3: 14:49:05 executing program 0: 14:49:05 executing program 1: 14:49:05 executing program 2: 14:49:05 executing program 4: 14:49:05 executing program 5: 14:49:05 executing program 3: 14:49:06 executing program 1: 14:49:06 executing program 4: 14:49:06 executing program 0: 14:49:06 executing program 2: 14:49:06 executing program 5: 14:49:06 executing program 1: 14:49:06 executing program 3: 14:49:06 executing program 4: 14:49:06 executing program 2: 14:49:06 executing program 0: 14:49:06 executing program 5: 14:49:06 executing program 3: 14:49:06 executing program 1: 14:49:06 executing program 4: 14:49:06 executing program 2: 14:49:06 executing program 5: 14:49:06 executing program 0: 14:49:06 executing program 3: 14:49:06 executing program 1: 14:49:06 executing program 4: 14:49:06 executing program 0: 14:49:06 executing program 5: 14:49:06 executing program 2: 14:49:06 executing program 3: 14:49:06 executing program 1: 14:49:06 executing program 4: 14:49:06 executing program 0: r0 = socket$inet(0x2, 0x3, 0x6) r1 = socket$netlink(0x10, 0x3, 0x4) connect$inet(r0, &(0x7f0000000100)={0x2, 0x0, @empty}, 0x10) sendmsg$nl_generic(r1, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0) 14:49:06 executing program 3: r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ppp\x00', 0x0, 0x0) ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0)) 14:49:06 executing program 5: perf_event_open(&(0x7f0000000040)={0x2, 0x70, 0xee68, 0x1, 0x0, 0x0, 0x0, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$BLKTRACESTOP(0xffffffffffffffff, 0x1275, 0x0) syz_mount_image$vfat(&(0x7f0000000540)='vfat\x00', &(0x7f00000002c0)='./file0\x00', 0x800000000e004, 0x1, &(0x7f0000000140)=[{&(0x7f0000010000)="eb3c906d6b66732e666174000204010002000270fff8", 0x16}], 0x0, 0x0) r0 = open(&(0x7f0000000200)='./file0\x00', 0x0, 0x0) fchdir(r0) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, 0x0, &(0x7f0000000100)) setsockopt$packet_add_memb(0xffffffffffffffff, 0x107, 0x1, 0x0, 0x0) ioctl$sock_netdev_private(r0, 0x89f9, &(0x7f00000003c0)="84420ca704018f0165774b3408a0e6c96eb49bfdbb5deafded524691fd470636752856db98064cf079f066bb27e63d9409d8db39897efddd88f46d31cc6f7b8698b2d3f42115e29cacc8ca7e77c324a9549e7359885891e8ce6a7c8684c0e17cb03d9c8eabc2cab1496dc2f057d971ea013e") rmdir(&(0x7f00000005c0)='./bus\x00') write$cgroup_type(0xffffffffffffffff, 0x0, 0x0) write$UHID_DESTROY(r0, &(0x7f0000000280), 0x4) lsetxattr$security_evm(0x0, &(0x7f0000000240)='security.evm\x00', &(0x7f0000000180)=ANY=[@ANYBLOB="02871eae5b3d38849fd139e04759c83d338c8939c643ee6e8ffc2b3955aadd124ce3bc1da81a746c7957"], 0x1, 0x1) r1 = open(&(0x7f00000000c0)='./bus\x00', 0x141042, 0x0) write$binfmt_aout(r1, &(0x7f0000000340)=ANY=[@ANYBLOB="00000000000000000700080000ee8b08b7960ff7aa6e041c7700fdff863809aa0063b8f24252b1d85cbf000000000038f710653f0ffb09f0d536b564df5e0a9efd50fe203534da91b5b9fb501e1ac4bfa3841f9d63e232b9b2500fb1d96033ccfdff066428eb4c319a6d"], 0x6a) perf_event_open(&(0x7f0000000800)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) unlink(&(0x7f0000000040)='./bus\x00') sendfile(r1, r1, &(0x7f0000000000), 0x8080fffffffe) r2 = syz_open_dev$usbmon(0x0, 0x1, 0x121001) ioctl$GIO_UNISCRNMAP(r1, 0x4b69, &(0x7f0000000440)=""/144) ioctl$DRM_IOCTL_AGP_ALLOC(r2, 0xc0206434, &(0x7f00000001c0)={0x8, 0x0, 0x10001}) ioctl$DRM_IOCTL_AGP_UNBIND(r1, 0x40106437, &(0x7f0000000300)={r3, 0x7fffffff}) setsockopt$inet_tcp_TLS_RX(0xffffffffffffffff, 0x6, 0x2, &(0x7f0000000600), 0x4) prctl$PR_SVE_SET_VL(0x32, 0x12e5e) prctl$PR_GET_DUMPABLE(0x3) getsockopt$inet6_IPV6_IPSEC_POLICY(0xffffffffffffffff, 0x29, 0x22, 0x0, &(0x7f0000000500)) quotactl(0x6, 0x0, 0x0, 0x0) mkdir(&(0x7f0000000580)='./bus\x00', 0x0) 14:49:06 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'morus640-generic\x00'}, 0x58) setsockopt$ALG_SET_KEY(r0, 0x117, 0x1, &(0x7f0000000080)="ab553fec94248c32e27d04000000288a", 0x10) r1 = accept$alg(r0, 0x0, 0x0) write$binfmt_script(r1, &(0x7f0000000600)=ANY=[], 0xfec8) recvmmsg(r1, &(0x7f0000007e00)=[{{&(0x7f0000001240)=@alg, 0x80, &(0x7f0000004700)=[{&(0x7f00000023c0)=""/49, 0x31}, {&(0x7f0000003580)=""/4096, 0x1000}], 0x2}}], 0x1, 0x0, &(0x7f0000008000)={0x0, 0x989680}) 14:49:06 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x5, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001"], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x14, 0x0, &(0x7f0000000680)=[@acquire_done], 0x0, 0x0, 0x0}) 14:49:06 executing program 4: 14:49:06 executing program 0: r0 = socket$inet(0x2, 0x3, 0x6) r1 = socket$netlink(0x10, 0x3, 0x4) connect$inet(r0, &(0x7f0000000100)={0x2, 0x0, @empty}, 0x10) sendmsg$nl_generic(r1, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0) [ 213.285410][ T8333] binder: 8332:8333 ioctl c018620b 0 returned -14 14:49:07 executing program 4: 14:49:07 executing program 2: [ 213.382293][ T8344] binder_alloc: binder_alloc_mmap_handler: 8332 20001000-20004000 already mapped failed -16 14:49:07 executing program 0: r0 = socket$inet(0x2, 0x3, 0x6) r1 = socket$netlink(0x10, 0x3, 0x4) connect$inet(r0, &(0x7f0000000100)={0x2, 0x0, @empty}, 0x10) sendmsg$nl_generic(r1, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0) 14:49:07 executing program 3: [ 213.432855][ T8333] binder: 8332:8333 ioctl c018620b 0 returned -14 [ 213.436456][ T8347] binder: BINDER_SET_CONTEXT_MGR already set [ 213.482923][ T8351] binder: 8332:8351 Release 1 refcount change on invalid ref 1 ret -22 [ 213.490289][ T8347] binder: 8332:8347 ioctl 40046207 0 returned -16 [ 213.497818][ T8348] binder_alloc: 8332: binder_alloc_buf, no vma [ 213.517298][ T8348] binder_transaction: 4 callbacks suppressed [ 213.517315][ T8348] binder: 8332:8348 transaction failed 29189/-3, size 24-8 line 3148 14:49:07 executing program 0: r0 = socket$inet(0x2, 0x3, 0x6) r1 = socket$netlink(0x10, 0x3, 0x4) connect$inet(r0, &(0x7f0000000100)={0x2, 0x0, @empty}, 0x10) sendmsg$nl_generic(r1, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0) 14:49:07 executing program 3: [ 213.567285][ T7921] binder: release 8332:8344 transaction 23 out, still active 14:49:07 executing program 4: [ 213.612343][ T7921] binder: send failed reply for transaction 23, target dead 14:49:07 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x5, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001"], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x14, 0x0, &(0x7f0000000680)=[@acquire_done], 0x0, 0x0, 0x0}) 14:49:07 executing program 2: 14:49:07 executing program 0: socket$inet(0x2, 0x3, 0x6) r0 = socket$netlink(0x10, 0x3, 0x4) sendmsg$nl_generic(r0, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0) 14:49:07 executing program 4: 14:49:07 executing program 3: 14:49:07 executing program 5: 14:49:07 executing program 4: 14:49:07 executing program 2: 14:49:07 executing program 3: 14:49:07 executing program 0: socket$inet(0x2, 0x3, 0x6) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0) [ 214.087678][ T8380] binder: 8374:8380 ioctl c018620b 0 returned -14 [ 214.172418][ T7921] binder: release 8374:8381 transaction 28 out, still active 14:49:07 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000000400)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f00000000c0)=[@enter_looper], 0x1, 0x0, &(0x7f0000000700)='+'}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0xfffffffffffffe43, 0x0, &(0x7f00000003c0)}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000001c0)={0x5, 0x0, &(0x7f0000000840)=ANY=[@ANYBLOB="0663044001"], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000003c0)={0x14, 0x0, &(0x7f0000000680)=[@acquire_done], 0x0, 0x0, 0x0}) 14:49:07 executing program 3: 14:49:07 executing program 4: 14:49:08 executing program 2: 14:49:08 executing program 5: [ 214.250579][ T7921] binder: send failed reply for transaction 28, target dead 14:49:08 executing program 0: socket$inet(0x2, 0x3, 0x6) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0) [ 214.334745][ T8396] binder: 8395:8396 ioctl c018620b 0 returned -14 14:49:08 executing program 3: 14:49:08 executing program 4: 14:49:08 executing program 5: 14:49:08 executing program 2: 14:49:08 executing program 0: socket$inet(0x2, 0x3, 0x6) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0) [ 214.463241][ T8407] binder: 8395:8407 BC_ACQUIRE_DONE u0000000000000000 no match 14:49:08 executing program 3: 14:49:08 executing program 1: socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) pipe(&(0x7f0000000340)={0xffffffffffffffff, 0xffffffffffffffff}) write$UHID_CREATE2(r2, &(0x7f00000001c0)=ANY=[@ANYBLOB='\v'], 0x1) r3 = socket$inet_udp(0x2, 0x2, 0x0) close(r3) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$SO_ATTACH_FILTER(r4, 0x1, 0x1a, &(0x7f0000ab9ff0)={0x2, &(0x7f000039a000)=[{0x20, 0x0, 0x0, 0x7ffffffffffff00c}, {0x6}]}, 0x10) write$binfmt_misc(r2, &(0x7f0000000140)=ANY=[], 0x4240a2a0) splice(r1, 0x0, r3, 0x0, 0x10005, 0x0) 14:49:08 executing program 4: 14:49:08 executing program 2: 14:49:08 executing program 5: 14:49:08 executing program 0: r0 = socket$netlink(0x10, 0x3, 0x4) sendmsg$nl_generic(r0, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0) 14:49:08 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = add_key$keyring(0x0, &(0x7f0000000340)={'syz'}, 0x0, 0x0, 0xfffffffffffffffc) socket$inet6(0xa, 0x2, 0x0) ioctl$BLKFLSBUF(0xffffffffffffffff, 0x1261, 0x0) r1 = creat(&(0x7f0000000000)='./file0\x00', 0x80) ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_INFO(r1, 0x40bc5311, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_GET_CLIENT_INFO(r1, 0xc0bc5310, &(0x7f0000000240)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_INFO(r1, 0x40bc5311, &(0x7f0000000380)={0xd1ee, 0x3, 'client0\x00', 0x1, "262ebd337fa2abf8", "7e083401503478e2a1a6d417bcb435b240431c170194e89653f8c98412107df0", 0x75, 0x946}) r2 = socket(0x200000000000011, 0x2, 0x0) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000000c0)={'sit0\x00', 0x0}) syz_open_dev$vcsn(0x0, 0x1, 0x0) lgetxattr(0x0, &(0x7f0000000200)=@known='trusted.overlay.redirect\x00', 0x0, 0x0) bind$packet(r2, &(0x7f0000000040)={0x11, 0x0, r3, 0x1, 0x0, 0x6, @broadcast}, 0x14) setsockopt$packet_int(r2, 0x107, 0x14, &(0x7f0000000180)=0x20, 0x4) setsockopt$inet_pktinfo(0xffffffffffffffff, 0x0, 0x8, 0x0, 0x0) ftruncate(0xffffffffffffffff, 0x8) sendmmsg(r2, &(0x7f0000000d00), 0x400004e, 0x0) getsockopt$SO_COOKIE(0xffffffffffffffff, 0x1, 0x39, 0x0, 0x0) setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) setsockopt$ARPT_SO_SET_REPLACE(r2, 0x0, 0x60, &(0x7f0000000800)=ANY=[@ANYBLOB="66696c746572000000000000000000000000000000000000000000000000000007000000040000006004000058020000580200001801000078030000780300007803000004000000000000000000000000000000ac14140effffffff00000000aaaaaaaaaabb00000000000000000000000000000000000000000000ffff0000000000000000000000000000000000000000000000000000000000000000000000000000ff00000000000000000000000008000300af0400bfcb0000697036746e6c3000000000fcffffffff617269644f655f736c6176655f31000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0001801000000000000000000000000000000000000000000000000000028004e46515545554500000000000000000000000000000000000000000000030000006003000000ac1414aae00000020000000000000000aaaaaaaaaabb000000000000000000000000000000000000ffff0000000000000000000000000000aaaaaaaaaaaa00000000000000000000000000000000000000ff0000ffff00000000000000000000000000fc0000000000001bca697036677265746170300000000000006970646470300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0004001000000000000000000000000000000000000000000000000000050006d616e676c65000000000000000000000000000000000000000000000000aaaaaaaaaaaa0000000000000000000000000000000000000000000000000000ac1e00017f0000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f000200100000000000000000000000000000000000000000000000000003000434f4e4e4d41524b000000000000000000000000000000000000000000010600000020000000000000000000000000000000660a8185000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c000e8000000000000000000000000000000000000000000000000002800000000000000000000000000000000000000000000000000000000000000feffffff00000000"], 0x1) keyctl$search(0xa, r0, &(0x7f0000000100)='syzkaller\x00', 0x0, r0) r4 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000140)='~\xea\x00w') openat$ppp(0xffffffffffffff9c, &(0x7f0000000180)='/dev/ppp\x00', 0x80000, 0x0) ioctl$LOOP_SET_FD(r4, 0x4c00, 0xffffffffffffffff) prctl$PR_SET_MM(0x23, 0x2, &(0x7f0000ffe000/0x1000)=nil) [ 215.093974][ T5] binder: release 8395:8396 transaction 32 out, still active [ 215.106460][ T7921] binder: send failed reply for transaction 32, target dead 14:49:08 executing program 2: symlink(0x0, 0x0) lstat(0x0, 0x0) ioctl$PERF_EVENT_IOC_PERIOD(0xffffffffffffffff, 0x40082404, 0x0) write$P9_RCREATE(0xffffffffffffffff, 0x0, 0x0) r0 = eventfd(0x0) lsetxattr$security_smack_entry(0x0, 0x0, 0x0, 0x0, 0x0) write$P9_RLOCK(r0, &(0x7f0000000840)={0x8}, 0x8) 14:49:08 executing program 4: openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x0, 0x0) add_key$keyring(0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe) r0 = openat$cgroup_procs(0xffffffffffffffff, &(0x7f0000000000), 0x2, 0x0) request_key(0x0, 0x0, 0x0, 0x0) write$binfmt_aout(0xffffffffffffffff, 0x0, 0x0) prctl$PR_SET_MM(0x23, 0x0, &(0x7f0000ffa000/0x4000)=nil) ioctl$FIBMAP(r0, 0x5421, &(0x7f0000000080)) 14:49:08 executing program 5: 14:49:08 executing program 0: r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_generic(r0, &(0x7f0000005000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x48, 0x14, 0x7, 0x0, 0x0, {0x2, 0xf0ffff, 0x600}, [@typed={0x34, 0x0, @binary="582f45cff97465821b0965512fe4fa59a835ee66f9746582fd3953ffee03d79dc442c6bbe736863d55a7374efe"}]}, 0x48}}, 0x0) 14:49:09 executing program 5: [ 215.320999][ T8449] netlink: 48 bytes leftover after parsing attributes in process `syz-executor.0'. 14:49:09 executing program 2: