0000004) r1 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r1, &(0x7f0000000100)={0x2, 0x4e20}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000000)='dctcp\x00', 0x6) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vcs\x00', 0x10000, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r2, 0x4008240b, &(0x7f0000000200)={0x0, 0xfffffffffffffee5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}) r3 = socket$inet_udplite(0x2, 0x2, 0x88) r4 = add_key$keyring(&(0x7f0000000340)='keyring\x00', &(0x7f0000000380)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffd) request_key(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)='dctcp\x00', r4) ioctl(r3, 0x1000008914, &(0x7f0000000000)) socket$inet_udp(0x2, 0x2, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) connect$inet(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_ifreq(0xffffffffffffffff, 0x0, 0x0) setsockopt$inet_opts(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) sysfs$3(0x3) getsockopt$IP_VS_SO_GET_VERSION(0xffffffffffffffff, 0x0, 0x480, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, 0x0, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0xfffffffffffffeaa) sendto$inet(r1, 0x0, 0x0, 0x20000000, &(0x7f0000000080)={0x2, 0x4e20}, 0x4f) sendto$inet(r1, &(0x7f0000000700)="f4", 0x1, 0x0, 0x0, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000280)="580000001400192340834b80040d8c5602067fffffff81000000000000dca87086a5c000004f6400940005891550f4a8000000006700008000f0fffeffff09000080fff5dd0000001000010000", 0x4d}], 0x1) 08:35:46 executing program 3: gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={0x0, 0x0}}, &(0x7f0000044000)) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) [ 717.690458][T13002] binder: undelivered TRANSACTION_COMPLETE [ 717.694256][T13683] binder_alloc: 13673: binder_alloc_buf, no vma [ 717.718130][T13678] binder: 13673:13678 ioctl 40046207 0 returned -16 [ 717.729331][T13002] binder: send failed reply for transaction 6633, target dead 08:35:46 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={0xffffffffffffffff, &(0x7f00000001c0)="a3d814ed569657ab0ab4630f015dc01caadd0fac785486c0e8b9e83ee0fe2d512b6fddb5771af3330d33"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 717.739574][T13680] binder: 13675:13680 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 717.749181][T13680] binder: 13675:13680 got reply transaction with no transaction stack [ 717.757377][T13680] binder: 13675:13680 transaction failed 29201/-71, size 0-40 line 2900 [ 717.789368][T13683] binder: 13673:13683 transaction failed 29189/-3, size 0-0 line 3148 [ 717.817845][ T22] binder: undelivered TRANSACTION_ERROR: 29189 08:35:46 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) setxattr(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)=@random={'system.', '/*^eth1trusted\x00'}, &(0x7f00000000c0)='lo@\x00', 0x4, 0x3) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:35:46 executing program 5: r0 = socket$netlink(0x10, 0x3, 0x4000000000000004) r1 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r1, &(0x7f0000000100)={0x2, 0x4e20}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000000)='dctcp\x00', 0x6) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vcs\x00', 0x10000, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r2, 0x4008240b, &(0x7f0000000200)={0x0, 0xfffffffffffffee5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}) r3 = socket$inet_udplite(0x2, 0x2, 0x88) r4 = add_key$keyring(&(0x7f0000000340)='keyring\x00', &(0x7f0000000380)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffd) request_key(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)='dctcp\x00', r4) ioctl(r3, 0x1000008914, &(0x7f0000000000)) socket$inet_udp(0x2, 0x2, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) connect$inet(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_ifreq(0xffffffffffffffff, 0x0, 0x0) setsockopt$inet_opts(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) sysfs$3(0x3) getsockopt$IP_VS_SO_GET_VERSION(0xffffffffffffffff, 0x0, 0x480, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, 0x0, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0xfffffffffffffeaa) sendto$inet(r1, 0x0, 0x0, 0x20000000, &(0x7f0000000080)={0x2, 0x4e20}, 0x4f) sendto$inet(r1, &(0x7f0000000700)="f4", 0x1, 0x0, 0x0, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000280)="580000001400192340834b80040d8c5602067fffffff81000000000000dca87086a5c000004f6400940005891550f4a8000000006700008000f0fffeffff09000080fff5dd0000001000010000", 0x4d}], 0x1) [ 717.890423][T13696] binder: 13692:13696 transaction failed 29189/-22, size 0-0 line 2995 [ 717.920808][ T22] binder: undelivered TRANSACTION_ERROR: 29189 08:35:46 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x5c, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @enter_looper, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, 0x0, &(0x7f0000000080)=[0x38, 0x18, 0x30, 0x20, 0x30]}, 0x4}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) [ 718.010766][T13703] binder: 13702:13703 got transaction with invalid data ptr [ 718.032303][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:35:47 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:35:47 executing program 3: gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={0x0, 0x0}}, &(0x7f0000044000)) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:47 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={0xffffffffffffffff, &(0x7f00000001c0)="a3d814ed569657ab0ab4630f015dc01caadd0fac785486c0e8b9e83ee0fe2d512b6fddb5771af3330d33"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:47 executing program 2: r0 = openat$selinux_commit_pending_bools(0xffffffffffffff9c, &(0x7f0000000000)='/selinux/commit_pending_bools\x00', 0x1, 0x0) ioctl$PPPIOCSDEBUG(r0, 0x40047440, &(0x7f0000000080)=0x7) getsockname$netrom(r0, &(0x7f00000004c0)={{0x3, @default}, [@default, @default, @default, @remote, @bcast, @rose, @remote, @null]}, &(0x7f00000001c0)=0x10000013b) r1 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 718.137111][T13718] binder: 13709:13718 ERROR: BC_REGISTER_LOOPER called without request 08:35:47 executing program 5: r0 = socket$netlink(0x10, 0x3, 0x4000000000000004) r1 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r1, &(0x7f0000000100)={0x2, 0x4e20}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000000)='dctcp\x00', 0x6) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vcs\x00', 0x10000, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r2, 0x4008240b, &(0x7f0000000200)={0x0, 0xfffffffffffffee5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}) r3 = socket$inet_udplite(0x2, 0x2, 0x88) r4 = add_key$keyring(&(0x7f0000000340)='keyring\x00', &(0x7f0000000380)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffd) request_key(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)='dctcp\x00', r4) ioctl(r3, 0x1000008914, &(0x7f0000000000)) socket$inet_udp(0x2, 0x2, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) connect$inet(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_ifreq(0xffffffffffffffff, 0x0, 0x0) setsockopt$inet_opts(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) sysfs$3(0x3) getsockopt$IP_VS_SO_GET_VERSION(0xffffffffffffffff, 0x0, 0x480, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, 0x0, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0xfffffffffffffeaa) sendto$inet(r1, 0x0, 0x0, 0x20000000, &(0x7f0000000080)={0x2, 0x4e20}, 0x4f) sendto$inet(r1, &(0x7f0000000700)="f4", 0x1, 0x0, 0x0, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000280)="580000001400192340834b80040d8c5602067fffffff81000000000000dca87086a5c000004f6400940005891550f4a8000000006700008000f0fffeffff09000080fff5dd00000010000100000c0900fcff00", 0x53}], 0x1) 08:35:47 executing program 3: gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={0x0, 0x0}}, &(0x7f0000044000)) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) [ 718.216772][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 718.217868][T13718] binder: 13709:13718 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 718.244641][T13718] binder: 13709:13718 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 718.253978][T13718] binder: 13709:13718 got reply transaction with no transaction stack 08:35:47 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={0xffffffffffffffff, &(0x7f00000001c0)="a3d814ed569657ab0ab4630f015dc01caadd0fac785486c0e8b9e83ee0fe2d512b6fddb5771af3330d33"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 718.311269][T13729] binder: 13724:13729 got transaction to context manager from process owning it 08:35:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x5c, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @enter_looper, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, 0x0, &(0x7f0000000080)=[0x38, 0x18, 0x30, 0x20, 0x30]}, 0x4}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) [ 718.371874][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 718.381141][T13734] binder: 13724:13734 got transaction to context manager from process owning it 08:35:47 executing program 3: gettid() openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:47 executing program 5: r0 = socket$netlink(0x10, 0x3, 0x4000000000000004) r1 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r1, &(0x7f0000000100)={0x2, 0x4e20}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000000)='dctcp\x00', 0x6) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vcs\x00', 0x10000, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r2, 0x4008240b, &(0x7f0000000200)={0x0, 0xfffffffffffffee5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}) r3 = socket$inet_udplite(0x2, 0x2, 0x88) r4 = add_key$keyring(&(0x7f0000000340)='keyring\x00', &(0x7f0000000380)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffd) request_key(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)='dctcp\x00', r4) ioctl(r3, 0x1000008914, &(0x7f0000000000)) socket$inet_udp(0x2, 0x2, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) connect$inet(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_ifreq(0xffffffffffffffff, 0x0, 0x0) setsockopt$inet_opts(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) sysfs$3(0x3) getsockopt$IP_VS_SO_GET_VERSION(0xffffffffffffffff, 0x0, 0x480, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, 0x0, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0xfffffffffffffeaa) sendto$inet(r1, 0x0, 0x0, 0x20000000, &(0x7f0000000080)={0x2, 0x4e20}, 0x4f) sendto$inet(r1, &(0x7f0000000700)="f4", 0x1, 0x0, 0x0, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000280)="580000001400192340834b80040d8c5602067fffffff81000000000000dca87086a5c000004f6400940005891550f4a8000000006700008000f0fffeffff09000080fff5dd00000010000100000c0900fcff00", 0x53}], 0x1) [ 718.500279][T13744] binder_alloc: 13724: binder_alloc_buf, no vma [ 718.509243][T13745] binder: 13741:13745 got reply transaction with no transaction stack 08:35:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x5c, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @enter_looper, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, 0x0, &(0x7f0000000080)=[0x38, 0x18, 0x30, 0x20, 0x30]}, 0x4}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) 08:35:47 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) r2 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000000)='/selinux/status\x00', 0x0, 0x0) r3 = openat$selinux_avc_cache_threshold(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/avc/cache_threshold\x00', 0x2, 0x0) perf_event_open$cgroup(&(0x7f0000000080)={0x0, 0x70, 0x3, 0x0, 0x8, 0x3, 0x0, 0x0, 0x4000, 0x3, 0x96d, 0x7, 0x9, 0x1, 0x9cf, 0x1ff, 0x7f, 0x3, 0xff, 0x708, 0x9, 0x4153, 0x10001, 0x80000001, 0x3, 0x2, 0xfffffffffffffffd, 0x4, 0x7dc4, 0x167, 0x3f, 0x3, 0x3, 0x7fffffff, 0x5, 0x3, 0x3, 0x1d16, 0x0, 0x4, 0x7, @perf_config_ext={0x2, 0x3}, 0x2000, 0x5, 0x1, 0x7, 0x7fffffff, 0x7f, 0x200}, r2, 0xf, r3, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 718.716469][T13759] binder: 13758:13759 got reply transaction with no transaction stack [ 718.767584][T13762] binder: 13761:13762 got transaction with invalid data ptr 08:35:47 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:35:47 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, 0x0}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:47 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:47 executing program 5: r0 = socket$netlink(0x10, 0x3, 0x4000000000000004) r1 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r1, &(0x7f0000000100)={0x2, 0x4e20}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000000)='dctcp\x00', 0x6) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vcs\x00', 0x10000, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r2, 0x4008240b, &(0x7f0000000200)={0x0, 0xfffffffffffffee5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}) r3 = socket$inet_udplite(0x2, 0x2, 0x88) r4 = add_key$keyring(&(0x7f0000000340)='keyring\x00', &(0x7f0000000380)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffd) request_key(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)='dctcp\x00', r4) ioctl(r3, 0x1000008914, &(0x7f0000000000)) socket$inet_udp(0x2, 0x2, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) connect$inet(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_ifreq(0xffffffffffffffff, 0x0, 0x0) setsockopt$inet_opts(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) sysfs$3(0x3) getsockopt$IP_VS_SO_GET_VERSION(0xffffffffffffffff, 0x0, 0x480, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, 0x0, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0xfffffffffffffeaa) sendto$inet(r1, 0x0, 0x0, 0x20000000, &(0x7f0000000080)={0x2, 0x4e20}, 0x4f) sendto$inet(r1, &(0x7f0000000700)="f4", 0x1, 0x0, 0x0, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000280)="580000001400192340834b80040d8c5602067fffffff81000000000000dca87086a5c000004f6400940005891550f4a8000000006700008000f0fffeffff09000080fff5dd00000010000100000c0900fcff00", 0x53}], 0x1) 08:35:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x5c, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @enter_looper, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x4}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) 08:35:47 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)=ANY=[], 0x0, 0x0, 0x0}) 08:35:48 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x5c, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @enter_looper, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x4}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) [ 719.105762][T13775] binder: 13771:13775 got reply transaction with no transaction stack 08:35:48 executing program 3: openat$ptmx(0xffffffffffffff9c, 0x0, 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:48 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:35:48 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, 0x0}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:48 executing program 5: r0 = socket$netlink(0x10, 0x3, 0x4000000000000004) r1 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r1, &(0x7f0000000100)={0x2, 0x4e20}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000000)='dctcp\x00', 0x6) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vcs\x00', 0x10000, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r2, 0x4008240b, &(0x7f0000000200)={0x0, 0xfffffffffffffee5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}) r3 = socket$inet_udplite(0x2, 0x2, 0x88) r4 = add_key$keyring(&(0x7f0000000340)='keyring\x00', &(0x7f0000000380)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffd) request_key(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)='dctcp\x00', r4) ioctl(r3, 0x1000008914, &(0x7f0000000000)) socket$inet_udp(0x2, 0x2, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) connect$inet(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_ifreq(0xffffffffffffffff, 0x0, 0x0) setsockopt$inet_opts(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) sysfs$3(0x3) getsockopt$IP_VS_SO_GET_VERSION(0xffffffffffffffff, 0x0, 0x480, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, 0x0, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0xfffffffffffffeaa) sendto$inet(r1, 0x0, 0x0, 0x20000000, &(0x7f0000000080)={0x2, 0x4e20}, 0x4f) sendto$inet(r1, &(0x7f0000000700)="f4", 0x1, 0x0, 0x0, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000280)="580000001400192340834b80040d8c5602067fffffff81000000000000dca87086a5c000004f6400940005891550f4a8000000006700008000f0fffeffff09000080fff5dd00000010000100000c0900fcff0000040e", 0x56}], 0x1) 08:35:48 executing program 3: openat$ptmx(0xffffffffffffff9c, 0x0, 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) [ 719.330599][T13794] binder_thread_write: 3 callbacks suppressed [ 719.330609][T13794] binder: 13786:13794 ERROR: BC_REGISTER_LOOPER called without request [ 719.358362][T13796] binder: 13791:13796 got transaction to context manager from process owning it [ 719.402559][T13794] binder_thread_write: 3 callbacks suppressed [ 719.402579][T13794] binder: 13786:13794 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 719.417677][T13800] binder: 13791:13800 got transaction to context manager from process owning it [ 719.438980][T13794] binder_thread_write: 3 callbacks suppressed [ 719.438992][T13794] binder: 13786:13794 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 719.469368][T13794] binder: 13786:13794 got reply transaction with no transaction stack 08:35:49 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:35:49 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, 0x0}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:49 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x2, 0x20011, r1, 0x5d) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="11634840000000fbffffff000000020000000000000000000000dd86200000000000000054"], 0x0, 0x0, 0x0}) 08:35:49 executing program 5: r0 = socket$netlink(0x10, 0x3, 0x4000000000000004) r1 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r1, &(0x7f0000000100)={0x2, 0x4e20}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000000)='dctcp\x00', 0x6) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vcs\x00', 0x10000, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r2, 0x4008240b, &(0x7f0000000200)={0x0, 0xfffffffffffffee5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}) r3 = socket$inet_udplite(0x2, 0x2, 0x88) r4 = add_key$keyring(&(0x7f0000000340)='keyring\x00', &(0x7f0000000380)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffd) request_key(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)='dctcp\x00', r4) ioctl(r3, 0x1000008914, &(0x7f0000000000)) socket$inet_udp(0x2, 0x2, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) connect$inet(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_ifreq(0xffffffffffffffff, 0x0, 0x0) setsockopt$inet_opts(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) sysfs$3(0x3) getsockopt$IP_VS_SO_GET_VERSION(0xffffffffffffffff, 0x0, 0x480, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, 0x0, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0xfffffffffffffeaa) sendto$inet(r1, 0x0, 0x0, 0x20000000, &(0x7f0000000080)={0x2, 0x4e20}, 0x4f) sendto$inet(r1, &(0x7f0000000700)="f4", 0x1, 0x0, 0x0, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000280)="580000001400192340834b80040d8c5602067fffffff81000000000000dca87086a5c000004f6400940005891550f4a8000000006700008000f0fffeffff09000080fff5dd00000010000100000c0900fcff0000040e", 0x56}], 0x1) 08:35:49 executing program 3: openat$ptmx(0xffffffffffffff9c, 0x0, 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:49 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x5c, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @enter_looper, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x4}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) [ 720.337569][T13820] binder: 13818:13820 got transaction to invalid handle [ 720.363430][T13823] binder: 13816:13823 ERROR: BC_REGISTER_LOOPER called without request 08:35:49 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x1, 0x40) ioctl$DRM_IOCTL_DROP_MASTER(r2, 0x641f) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:35:49 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, 0x0) preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) [ 720.395067][T13823] binder: 13816:13823 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 720.433548][T13823] binder: 13816:13823 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER 08:35:49 executing program 5: r0 = socket$netlink(0x10, 0x3, 0x4000000000000004) r1 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r1, &(0x7f0000000100)={0x2, 0x4e20}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000000)='dctcp\x00', 0x6) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vcs\x00', 0x10000, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r2, 0x4008240b, &(0x7f0000000200)={0x0, 0xfffffffffffffee5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}) r3 = socket$inet_udplite(0x2, 0x2, 0x88) r4 = add_key$keyring(&(0x7f0000000340)='keyring\x00', &(0x7f0000000380)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffd) request_key(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)='dctcp\x00', r4) ioctl(r3, 0x1000008914, &(0x7f0000000000)) socket$inet_udp(0x2, 0x2, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) connect$inet(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_ifreq(0xffffffffffffffff, 0x0, 0x0) setsockopt$inet_opts(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) sysfs$3(0x3) getsockopt$IP_VS_SO_GET_VERSION(0xffffffffffffffff, 0x0, 0x480, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, 0x0, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0xfffffffffffffeaa) sendto$inet(r1, 0x0, 0x0, 0x20000000, &(0x7f0000000080)={0x2, 0x4e20}, 0x4f) sendto$inet(r1, &(0x7f0000000700)="f4", 0x1, 0x0, 0x0, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000280)="580000001400192340834b80040d8c5602067fffffff81000000000000dca87086a5c000004f6400940005891550f4a8000000006700008000f0fffeffff09000080fff5dd00000010000100000c0900fcff0000040e", 0x56}], 0x1) 08:35:49 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 720.495779][T13823] binder: 13816:13823 got reply transaction with no transaction stack 08:35:49 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x5c, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @enter_looper, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) [ 720.619048][T13840] binder: 13835:13840 got transaction with invalid data ptr [ 720.653500][T13844] binder: 13835:13844 got transaction with invalid data ptr 08:35:49 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, 0x0) preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) [ 720.758337][T13852] binder: 13848:13852 ERROR: BC_REGISTER_LOOPER called without request [ 720.803949][T13852] binder: 13848:13852 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 720.844694][T13852] binder: 13848:13852 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 720.868870][T13852] binder: 13848:13852 got reply transaction with no transaction stack 08:35:50 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(0x0, 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:35:50 executing program 5: r0 = socket$netlink(0x10, 0x3, 0x4000000000000004) r1 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r1, &(0x7f0000000100)={0x2, 0x4e20}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000000)='dctcp\x00', 0x6) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vcs\x00', 0x10000, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r2, 0x4008240b, &(0x7f0000000200)={0x0, 0xfffffffffffffee5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}) r3 = socket$inet_udplite(0x2, 0x2, 0x88) r4 = add_key$keyring(&(0x7f0000000340)='keyring\x00', &(0x7f0000000380)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffd) request_key(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)='dctcp\x00', r4) ioctl(r3, 0x1000008914, &(0x7f0000000000)) socket$inet_udp(0x2, 0x2, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) connect$inet(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_ifreq(0xffffffffffffffff, 0x0, 0x0) setsockopt$inet_opts(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) sysfs$3(0x3) getsockopt$IP_VS_SO_GET_VERSION(0xffffffffffffffff, 0x0, 0x480, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, 0x0, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0xfffffffffffffeaa) sendto$inet(r1, 0x0, 0x0, 0x20000000, &(0x7f0000000080)={0x2, 0x4e20}, 0x4f) sendto$inet(r1, &(0x7f0000000700)="f4", 0x1, 0x0, 0x0, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000280)="580000001400192340834b80040d8c5602067fffffff81000000000000dca87086a5c000004f6400940005891550f4a8000000006700008000f0fffeffff09000080fff5dd00000010000100000c0900fcff0000040e05", 0x57}], 0x1) 08:35:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) recvmmsg(0xffffffffffffffff, &(0x7f0000003500)=[{{0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000000)=""/115, 0x73}], 0x1}}], 0x1, 0x0, 0x0) r1 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') preadv(r1, &(0x7f0000000480), 0x10000000000002a1, 0x36) read$FUSE(r1, &(0x7f0000000240), 0x1000) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x20, 0x0, &(0x7f0000000080)=ANY=[@ANYBLOB="116363400000000000000000000002000000000000400000adff7fad0e29bf54"], 0x0, 0x0, 0x0}) 08:35:50 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:50 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, 0x0) preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:50 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) [ 721.530381][T13868] binder: 13862:13868 ERROR: BC_REGISTER_LOOPER called without request [ 721.539675][T13867] binder_transaction: 22 callbacks suppressed [ 721.539691][T13867] binder: 13865:13867 transaction failed 29189/-22, size 0-0 line 2995 [ 721.550838][T13866] binder: 13861:13866 unknown command 1080255249 [ 721.565413][T13868] binder: 13862:13868 DecRefs 0 refcount change on invalid ref 4 ret -22 08:35:50 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(0xffffffffffffffff, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) [ 721.584303][ T17] binder_release_work: 12 callbacks suppressed [ 721.584311][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 721.599802][T13866] binder: 13861:13866 ioctl c0306201 20000200 returned -22 [ 721.619584][T13868] binder: 13862:13868 got reply transaction with no transaction stack 08:35:50 executing program 5: r0 = socket$netlink(0x10, 0x3, 0x4000000000000004) r1 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r1, &(0x7f0000000100)={0x2, 0x4e20}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000000)='dctcp\x00', 0x6) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vcs\x00', 0x10000, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r2, 0x4008240b, &(0x7f0000000200)={0x0, 0xfffffffffffffee5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}) r3 = socket$inet_udplite(0x2, 0x2, 0x88) r4 = add_key$keyring(&(0x7f0000000340)='keyring\x00', &(0x7f0000000380)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffd) request_key(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)='dctcp\x00', r4) ioctl(r3, 0x1000008914, &(0x7f0000000000)) socket$inet_udp(0x2, 0x2, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) connect$inet(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_ifreq(0xffffffffffffffff, 0x0, 0x0) setsockopt$inet_opts(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) sysfs$3(0x3) getsockopt$IP_VS_SO_GET_VERSION(0xffffffffffffffff, 0x0, 0x480, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, 0x0, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0xfffffffffffffeaa) sendto$inet(r1, 0x0, 0x0, 0x20000000, &(0x7f0000000080)={0x2, 0x4e20}, 0x4f) sendto$inet(r1, &(0x7f0000000700)="f4", 0x1, 0x0, 0x0, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000280)="580000001400192340834b80040d8c5602067fffffff81000000000000dca87086a5c000004f6400940005891550f4a8000000006700008000f0fffeffff09000080fff5dd00000010000100000c0900fcff0000040e05", 0x57}], 0x1) [ 721.645740][T13875] binder: 13861:13875 unknown command 1080255249 08:35:50 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 721.695488][T13868] binder: 13862:13868 transaction failed 29201/-71, size 0-0 line 2900 [ 721.715701][T13875] binder: 13861:13875 ioctl c0306201 20000200 returned -22 08:35:50 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(0xffffffffffffffff, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:50 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) 08:35:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = openat$selinux_checkreqprot(0xffffffffffffff9c, &(0x7f0000000000)='/selinux/checkreqprot\x00', 0x200, 0x0) connect$rds(r2, &(0x7f0000000080)={0x2, 0x4e24, @empty}, 0x10) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:35:50 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(0x0, 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:35:50 executing program 5: r0 = socket$netlink(0x10, 0x3, 0x4000000000000004) r1 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r1, &(0x7f0000000100)={0x2, 0x4e20}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000000)='dctcp\x00', 0x6) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vcs\x00', 0x10000, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r2, 0x4008240b, &(0x7f0000000200)={0x0, 0xfffffffffffffee5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}) r3 = socket$inet_udplite(0x2, 0x2, 0x88) r4 = add_key$keyring(&(0x7f0000000340)='keyring\x00', &(0x7f0000000380)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffd) request_key(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)='dctcp\x00', r4) ioctl(r3, 0x1000008914, &(0x7f0000000000)) socket$inet_udp(0x2, 0x2, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) connect$inet(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_ifreq(0xffffffffffffffff, 0x0, 0x0) setsockopt$inet_opts(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) sysfs$3(0x3) getsockopt$IP_VS_SO_GET_VERSION(0xffffffffffffffff, 0x0, 0x480, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, 0x0, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0xfffffffffffffeaa) sendto$inet(r1, 0x0, 0x0, 0x20000000, &(0x7f0000000080)={0x2, 0x4e20}, 0x4f) sendto$inet(r1, &(0x7f0000000700)="f4", 0x1, 0x0, 0x0, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000280)="580000001400192340834b80040d8c5602067fffffff81000000000000dca87086a5c000004f6400940005891550f4a8000000006700008000f0fffeffff09000080fff5dd00000010000100000c0900fcff0000040e05", 0x57}], 0x1) [ 721.910299][T13892] binder: 13883:13892 transaction failed 29189/-22, size 0-0 line 2995 [ 721.946711][T13002] binder: undelivered TRANSACTION_ERROR: 29189 08:35:51 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657ab0ab4630f015dc01caadd0fac78"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 722.090600][T13897] binder: 13896:13897 got transaction with invalid data ptr [ 722.097999][T13897] binder: 13896:13897 transaction failed 29201/-14, size 84-0 line 3180 [ 722.139744][T13902] binder: 13901:13902 ERROR: BC_REGISTER_LOOPER called without request [ 722.179008][T13902] binder: 13901:13902 DecRefs 0 refcount change on invalid ref 4 ret -22 08:35:51 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(0xffffffffffffffff, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:51 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(0x0, 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 722.201758][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 722.209911][T13897] binder: BINDER_SET_CONTEXT_MGR already set [ 722.216235][T13897] binder: 13896:13897 ioctl 40046207 0 returned -16 [ 722.219258][T13902] binder: 13901:13902 got reply transaction with no transaction stack [ 722.239049][T13911] binder: 13909:13911 transaction failed 29189/-22, size 0-0 line 2995 08:35:51 executing program 5: r0 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={0x0, 0x0}}, &(0x7f0000044000)) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) read(r1, &(0x7f0000000040)=""/11, 0x2) ioctl$TIOCSETD(r1, 0x5423, &(0x7f0000000000)) r2 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r1, &(0x7f0000000440)) r3 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r3, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r3, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) timer_settime(0x0, 0x0, &(0x7f00000001c0)={{0x0, 0x8}, {0x0, 0x9}}, 0x0) tkill(r0, 0x1000000000013) 08:35:51 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff6000/0x3000)=nil, 0x3000, 0x0, 0x10, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x8, 0x202400) getsockopt$bt_BT_CHANNEL_POLICY(r2, 0x112, 0xa, &(0x7f0000000080)=0x8, &(0x7f00000000c0)=0x4) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000140)=ANY=[@ANYRES64=r0], 0x3b6, 0x0, 0x0}) ioctl$VIDIOC_G_CROP(r2, 0xc014563b, &(0x7f0000000100)={0xc, {0x1ff, 0x9, 0x9, 0x7ff}}) clock_gettime(0x0, &(0x7f00000001c0)={0x0, 0x0}) futimesat(r2, &(0x7f0000000180)='./file0\x00', &(0x7f0000000240)={{0x0, 0x7530}, {r3, r4/1000+30000}}) [ 722.261514][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 722.276985][T13902] binder: 13901:13902 transaction failed 29201/-71, size 0-0 line 2900 08:35:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) 08:35:51 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657ab0ab4630f015dc01caadd0fac78"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:51 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, 0x0, 0x0, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) [ 722.496770][T13928] binder: 13921:13928 ERROR: BC_REGISTER_LOOPER called without request [ 722.510447][T13929] binder_alloc: 13918: binder_alloc_buf, no vma [ 722.518396][T13929] binder: 13927:13929 transaction failed 29189/-3, size 0-0 line 3148 [ 722.529081][T13928] binder: 13921:13928 DecRefs 0 refcount change on invalid ref 4 ret -22 08:35:51 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) pipe(&(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) setsockopt$inet6_tcp_TCP_REPAIR(r3, 0x6, 0x13, &(0x7f00000001c0)=0x1, 0x4) ioctl$sock_x25_SIOCDELRT(r2, 0x890c, &(0x7f0000000080)={@null=' \x00', 0xa, 'caif0\x00'}) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r3, 0x84, 0x6, &(0x7f0000000240)={0x0, @in={{0x2, 0x4e24, @empty}}}, &(0x7f0000000300)=0x84) getsockopt$inet_sctp6_SCTP_ASSOCINFO(r3, 0x84, 0x1, &(0x7f0000000340)={r4, 0xddf, 0x5274fbba, 0x401, 0x7, 0x9}, &(0x7f0000000380)=0x14) 08:35:51 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(0xffffffffffffffff, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 722.541252][T13928] binder: 13921:13928 got reply transaction with no transaction stack [ 722.560496][T13928] binder: 13921:13928 transaction failed 29201/-71, size 0-0 line 2900 08:35:51 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x20, &(0x7f0000000000)={@loopback, 0x0, 0x2}, 0x20) [ 722.598109][T13002] binder: undelivered TRANSACTION_ERROR: 29189 08:35:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x50, 0x0, &(0x7f00000000c0)=[@register_looper, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) [ 722.668474][T13938] binder: 13935:13938 got transaction with invalid data ptr 08:35:51 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657ab0ab4630f015dc01caadd0fac78"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 722.718502][T13938] binder: 13935:13938 transaction failed 29201/-14, size 84-0 line 3180 08:35:51 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, 0x0, 0x0, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:51 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x0) setsockopt$inet6_group_source_req(r0, 0x29, 0x2c, &(0x7f0000000100)={0x0, {{0xa, 0x0, 0x0, @mcast2}}, {{0xa, 0x0, 0x0, @local}}}, 0x104) 08:35:51 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(0xffffffffffffffff, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 722.819053][T13949] binder: 13945:13949 ERROR: BC_REGISTER_LOOPER called without request 08:35:51 executing program 2: openat$vicodec1(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/video37\x00', 0x2, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) prctl$PR_TASK_PERF_EVENTS_ENABLE(0x20) fdatasync(r0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = accept4$inet6(0xffffffffffffffff, &(0x7f0000000180)={0xa, 0x0, 0x0, @empty}, &(0x7f0000000340)=0x1c, 0x800) ioctl$sock_SIOCGIFCONF(r2, 0x8912, &(0x7f0000000380)) r3 = openat$selinux_avc_hash_stats(0xffffffffffffff9c, &(0x7f00000001c0)='/selinux/avc/hash_stats\x00', 0x0, 0x0) ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO(r3, 0x402c5342, &(0x7f0000000240)={0x4, 0x4, 0x5, {}, 0x7ff, 0x6}) ioctl$IOC_PR_CLEAR(r3, 0x401070cd, &(0x7f00000002c0)={0x1ffe0000000}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f00000003c0)=ANY=[@ANYBLOB="1130f3e57f248c877e000001000000010000ac00dd29bf54000002000000009d123103a04d1db3bdcf13f9956e8e1c00000000000000c17e353d272b76404399607296c66a7b68213467b64fe440c2eb5ed562fa3426871bc9beac2817366e806dcf984371b0670bf8f87c1902a431c630a8bfbe03b4a31b"], 0x0, 0x0, 0x0}) r4 = syz_open_dev$cec(&(0x7f0000000100)='/dev/cec#\x00', 0x0, 0x2) ioctl$SG_GET_ACCESS_COUNT(r4, 0x2289, &(0x7f0000000140)) setitimer(0x2, &(0x7f0000000000)={{0x77359400}}, &(0x7f0000000080)) openat$kvm(0xffffffffffffff9c, &(0x7f0000000300)='/dev/kvm\x00', 0x42200, 0x0) [ 722.865943][T13951] binder_alloc: 13935: binder_alloc_buf, no vma [ 722.872693][T13949] binder: 13945:13949 got reply transaction with no transaction stack [ 722.874064][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 722.919230][T13951] binder: 13947:13951 transaction failed 29189/-3, size 0-0 line 3148 [ 722.954375][T13002] binder: undelivered TRANSACTION_ERROR: 29189 08:35:51 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x0, 0x0, @remote, 0x2}, 0x1c) bind$inet6(r0, &(0x7f0000000080)={0xa, 0x4e20}, 0x1b) 08:35:51 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, 0x0, 0x0, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x50, 0x0, &(0x7f00000000c0)=[@register_looper, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) [ 723.003585][T13961] binder: 13958:13961 unknown command -437047279 [ 723.016565][T13961] binder: 13958:13961 ioctl c0306201 20000200 returned -22 08:35:51 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(0xffffffffffffffff, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:35:51 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657ab0ab4630f015dc01caadd0fac785486c0e8b9e83ee0fe2d51"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 723.133173][T13969] binder: 13958:13969 unknown command -437047279 08:35:52 executing program 5: r0 = socket$inet6(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000040)={0xa, 0x0, 0x0, @remote, 0x2}, 0x1c) [ 723.176498][T13969] binder: 13958:13969 ioctl c0306201 20000200 returned -22 [ 723.188332][T13976] binder_alloc: 13958: binder_alloc_buf size 1108927891180590680 failed, no address space [ 723.216092][T13976] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 16384 (num: 1 largest: 16384) 08:35:52 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700), 0x0, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:52 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0xffffffffffffffff) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x200, 0xc0040) ioctl$KDGKBENT(r2, 0x4b46, &(0x7f0000000080)={0x81, 0x1, 0x10001}) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 723.238921][T13979] binder: 13975:13979 ERROR: BC_REGISTER_LOOPER called without request [ 723.262873][T13979] binder: 13975:13979 got reply transaction with no transaction stack [ 723.293745][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:35:52 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:35:52 executing program 5: 08:35:52 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657ab0ab4630f015dc01caadd0fac7854"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:52 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x50, 0x0, &(0x7f00000000c0)=[@register_looper, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) 08:35:52 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700), 0x0, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:52 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="11634840000000000000000000fe01000000000000003f000000dd86b0d44688d151ad81a1"], 0x0, 0x0, 0x0}) prctl$PR_GET_TIMERSLACK(0x1e) r2 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000080)='/selinux/status\x00', 0x0, 0x0) r3 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/btrfs-control\x00', 0x20000, 0x0) syz_kvm_setup_cpu$x86(r2, r3, &(0x7f0000fe2000/0x18000)=nil, &(0x7f0000000140)=[@text16={0x10, &(0x7f0000000100)="3e360fc75cf2640f01d1ba6100ec6567660f3a14dbc90f2082ba610066b80008000066ef0f22590f22670ff10e00780f01df", 0x32}], 0x1, 0xe, &(0x7f0000000180), 0x0) 08:35:52 executing program 5: 08:35:52 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 723.578348][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 723.615205][T14000] binder: 13999:14000 ERROR: BC_REGISTER_LOOPER called without request [ 723.655438][T14005] binder_alloc: 14004: binder_alloc_buf size 2554215420696027864 failed, no address space [ 723.666826][T14000] binder: 13999:14000 got reply transaction with no transaction stack 08:35:52 executing program 5: 08:35:52 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700), 0x0, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:52 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657ab0ab4630f015dc01caadd0fac7854"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 723.714797][T14005] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 16384 (num: 1 largest: 16384) 08:35:52 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) [ 723.795909][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 723.803559][T14012] binder_alloc: 14004: binder_alloc_buf size 2554215420696027864 failed, no address space [ 723.822244][T14005] binder: BINDER_SET_CONTEXT_MGR already set [ 723.844230][T14012] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 16384 (num: 1 largest: 16384) [ 723.872467][T14005] binder: 14004:14005 ioctl 40046207 0 returned -16 08:35:52 executing program 5: [ 723.907794][T14025] binder_alloc: 14004: binder_alloc_buf size 1108927891180590680 failed, no address space [ 723.945258][T14028] binder: 14024:14028 ERROR: BC_REGISTER_LOOPER called without request 08:35:52 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:35:52 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f0000000080)=ANY=[@ANYRES64=r0], 0x0, 0x0, 0x0}) 08:35:52 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{0x0}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) [ 723.966001][T14025] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 16384 (num: 1 largest: 16384) [ 723.985629][T14028] binder: 14024:14028 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 724.018113][T14028] binder: 14024:14028 got reply transaction with no transaction stack 08:35:53 executing program 5: 08:35:53 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657ab0ab4630f"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:53 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{0x0}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) [ 724.118496][T14037] binder: 14032:14037 unknown command 3 [ 724.154453][T14037] binder: 14032:14037 ioctl c0306201 20000000 returned -22 [ 724.177289][T14043] binder: 14032:14043 unknown command 3 [ 724.224276][T14043] binder: 14032:14043 ioctl c0306201 20000000 returned -22 [ 724.252734][T14048] binder: 14045:14048 DecRefs 0 refcount change on invalid ref 0 ret -22 08:35:53 executing program 5: 08:35:53 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 724.285104][T14049] binder_alloc: 14032: binder_alloc_buf size 1108927891180590680 failed, no address space 08:35:53 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x800) r2 = syz_open_dev$amidi(&(0x7f0000000400)='/dev/amidi#\x00', 0x2, 0x800) getsockopt$TIPC_DEST_DROPPABLE(r2, 0x10f, 0x81, &(0x7f00000000c0), &(0x7f0000000100)=0x4) getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(0xffffffffffffffff, 0x84, 0x75, &(0x7f0000000440)={0x0, 0x66}, &(0x7f0000000480)=0x8) getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(r2, 0x84, 0x75, &(0x7f00000004c0)={r3, 0x6}, &(0x7f0000000500)=0x8) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$PPPIOCSFLAGS1(r1, 0x40047459, &(0x7f0000000080)=0x2010000) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="000800bf54"], 0x0, 0x0, 0x0}) write$P9_RREADLINK(r2, &(0x7f0000000040)=ANY=[@ANYBLOB="1000000017020007002e2f66696c6730"], 0x10) 08:35:53 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{0x0}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) [ 724.345456][T14049] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 16384 (num: 1 largest: 16384) 08:35:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) 08:35:53 executing program 5: write(0xffffffffffffffff, 0x0, 0x0) r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f00000008c0)='./cgroup.cpu\x00', 0x200002, 0x0) fchdir(r0) getresuid(&(0x7f0000000540), 0x0, 0x0) pipe(0x0) r1 = syz_open_procfs(0x0, &(0x7f0000000000)='net/netlink\x00') preadv(r1, &(0x7f0000000700), 0x31f, 0x10400003) creat(&(0x7f00000000c0)='./file0\x00', 0x0) write$P9_RFLUSH(0xffffffffffffffff, 0x0, 0x0) getresgid(&(0x7f0000000980), &(0x7f0000000140), &(0x7f0000000940)) 08:35:53 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:35:53 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(0xffffffffffffffff, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:53 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d8"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:53 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r2, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) madvise(&(0x7f0000779000/0x600000)=nil, 0x600000, 0x1000000000009) prctl$PR_TASK_PERF_EVENTS_DISABLE(0x1f) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 724.562350][T14066] binder_thread_write: 1 callbacks suppressed [ 724.562360][T14066] binder: 14059:14066 ERROR: BC_REGISTER_LOOPER called without request [ 724.601645][T14066] binder: 14059:14066 DecRefs 0 refcount change on invalid ref 0 ret -22 08:35:53 executing program 5: write$P9_RLERROR(0xffffffffffffffff, &(0x7f0000000140)=ANY=[], 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) pipe(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}) write(r1, &(0x7f00000001c0), 0xfffffef3) read(r0, &(0x7f0000000200)=""/250, 0x50c7e3e3) getpeername$packet(r0, 0x0, &(0x7f00000004c0)) r2 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000440)='./cgroup.net\x00', 0x200002, 0x0) r3 = openat$cgroup_ro(r2, &(0x7f0000000580)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) ioctl$EVIOCSKEYCODE_V2(r1, 0x40284504, &(0x7f0000000340)={0x8, 0x17, 0x100000000, 0x189b, "6fd8ca47fbc144c1097fc539c245ea07a95d0663c6da6eb3f5dc39342256a219"}) write$binfmt_script(r3, &(0x7f0000000040)=ANY=[], 0x7c774aac) bpf$BPF_GET_MAP_INFO(0xf, &(0x7f00000003c0)={0xffffffffffffffff, 0x0, 0x0}, 0x10) bpf$BPF_MAP_GET_FD_BY_ID(0xe, 0x0, 0x0) mmap(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x800003, 0x8012, r3, 0x0) ioctl$EVIOCGEFFECTS(r1, 0x80044584, &(0x7f0000000ac0)=""/219) ioctl$VT_OPENQRY(0xffffffffffffffff, 0x5600, 0x0) syz_genetlink_get_family_id$ipvs(0x0) sendmsg$IPVS_CMD_NEW_SERVICE(r0, 0x0, 0x40011) r4 = bpf$OBJ_GET_PROG(0x7, 0x0, 0xd4) ioctl$FS_IOC_RESVSP(r4, 0x402c5828, 0x0) setxattr$trusted_overlay_opaque(0x0, &(0x7f0000000040)='trusted.overlay.opaque\x00', &(0x7f0000000080)='y\x00', 0x2, 0x2) [ 724.657829][T14066] binder_transaction: 1 callbacks suppressed [ 724.657839][T14066] binder: 14059:14066 got reply transaction with no transaction stack 08:35:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x54, 0x0, &(0x7f00000000c0)=[@decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) [ 724.751875][ T26] audit: type=1400 audit(1556613353.667:76): avc: denied { map } for pid=14074 comm="syz-executor.2" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=121782 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file permissive=1 08:35:53 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(0xffffffffffffffff, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) [ 724.812690][T14080] binder: 14074:14080 ioctl c0306201 20000200 returned -14 08:35:53 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d8"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:53 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 724.858284][T14089] binder: 14086:14089 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 724.894906][T14087] binder: 14074:14087 ioctl c0306201 20000200 returned -14 08:35:53 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) setsockopt$packet_tx_ring(r3, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) io_getevents(0x0, 0x0, 0x0, 0x0, 0x0) ioctl$VT_SETMODE(0xffffffffffffffff, 0x5602, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) getsockopt(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) vmsplice(0xffffffffffffffff, 0x0, 0x0, 0x0) truncate(0x0, 0x0) ioctl$int_in(0xffffffffffffffff, 0x0, 0x0) ftruncate(r2, 0x2007fff) sendfile(r1, r2, &(0x7f0000d83ff8), 0x8000fffffffe) [ 724.918864][T14089] binder: 14086:14089 got reply transaction with no transaction stack 08:35:53 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(0xffffffffffffffff, &(0x7f0000000200)=[{&(0x7f0000000340)=""/135, 0x87}], 0x1, 0x0) 08:35:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x54, 0x0, &(0x7f00000000c0)=[@decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) 08:35:53 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm_plock\x00', 0x2, 0x0) io_uring_setup(0x6ad, &(0x7f0000000080)={0x0, 0x0, 0x6, 0x2, 0x33e}) io_uring_register$IORING_UNREGISTER_FILES(r2, 0x3, 0x0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:35:54 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d8"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:54 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, 0x0, 0x0, 0x0) [ 725.168944][T14112] binder: 14107:14112 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 725.180393][T14110] binder: 14109:14110 got transaction with invalid data ptr [ 725.237906][T14112] binder: 14107:14112 got reply transaction with no transaction stack 08:35:54 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) r2 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000180)='/dev/dlm-control\x00', 0x100, 0x0) ioctl$sock_inet_tcp_SIOCOUTQNSD(r2, 0x894b, &(0x7f0000000100)) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000080)=ANY=[@ANYBLOB="11634840000000000000000000000200000000000000dd8651ad81a1ad0e297f4b7074b451613dc0ae6e0115bf549053a81ba396ff55f407006e63b5290000feff00"], 0x0, 0x0, 0x0}) [ 725.279330][T14122] binder_alloc: 14109: binder_alloc_buf failed to map pages in userspace, no vma 08:35:54 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x54, 0x0, &(0x7f00000000c0)=[@decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa3, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f0f"}) 08:35:54 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, 0x0, 0x0, 0x0) 08:35:54 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:54 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) msgget$private(0x0, 0x404) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 725.442900][T14131] binder: 14128:14131 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 725.469073][T14131] binder: 14128:14131 got reply transaction with no transaction stack [ 725.558204][T14137] binder: 14134:14137 got transaction with invalid data ptr [ 725.588758][T14138] binder_alloc: 14134: binder_alloc_buf size 5740120 failed, no address space [ 725.618945][T14138] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 16384 (num: 1 largest: 16384) [ 725.808771][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 725.814718][ C1] protocol 88fb is buggy, dev hsr_slave_1 08:35:54 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x0, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:35:55 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) setsockopt$packet_tx_ring(r3, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) io_getevents(0x0, 0x0, 0x0, 0x0, 0x0) ioctl$VT_SETMODE(0xffffffffffffffff, 0x5602, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) getsockopt(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) vmsplice(0xffffffffffffffff, 0x0, 0x0, 0x0) truncate(0x0, 0x0) ioctl$int_in(0xffffffffffffffff, 0x0, 0x0) ftruncate(r2, 0x2007fff) sendfile(r1, r2, &(0x7f0000d83ff8), 0x8000fffffffe) 08:35:55 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, 0x0, 0x0, 0x0) 08:35:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 08:35:55 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000000)=ANY=[], 0x0, 0x0, 0x0}) 08:35:55 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d8"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 726.238601][T14160] binder: 14153:14160 ERROR: BC_REGISTER_LOOPER called without request [ 726.263613][T14160] binder: 14153:14160 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 726.274354][T14161] binder: BINDER_SET_CONTEXT_MGR already set [ 726.283459][T14160] binder: 14153:14160 got reply transaction with no transaction stack [ 726.288731][T14161] binder: 14154:14161 ioctl 40046207 0 returned -16 08:35:55 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200), 0x0, 0x0) 08:35:55 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0xffffffffffffff9d, 0x0, &(0x7f00000004c0)=ANY=[@ANYRESHEX=r0, @ANYRES16=0x0, @ANYRES32, @ANYPTR=&(0x7f0000000340)=ANY=[@ANYRES32=r0, @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB="0bc554a5fd04f392b08f6f07dd97fc566e3bb926d3cc4c50fa9c1d102ccd569a80b45c43a9f1384eed7fba128b90fd6e3b8b49e63e12a2d7622551b23af9718804130823db0c6fa7dadb2a3e4527c5553a52a91248b31e71928fb4bc1612a03b512446b594b7e3e7b3127878874adfd43bddb29da69ba1de80be96bc823dd04845a43bcde57740537ee3cd5fc35c5088637c0368e6ec6e0ebf89c265f954672a1c39e6836c4cd74e542e9e67ce874020a3c340f137356128ae8dfa19fde4b43d1410b343c00c6381686a0c67a5793ab2b0e4f76cecb55e0c7364b65dd9fc825f825d4a3fe5cccf5f3363d1179d27d60abb9b0b916ec62ccb81af1e746edd30"], @ANYRESDEC=r1, @ANYRESDEC=r1, @ANYRES16=0x0, @ANYRESOCT=r1, @ANYRES16=r0], @ANYPTR=&(0x7f00000003c0)=ANY=[@ANYBLOB="c211ae1924df3d3588cc259627f5c9445e8cd218379448a0d51a73e87cb165fffc87a77ff3f5fac0471646d92e1ddc63340d21f5ffa88a62b1ce5fa4fe67cb5e07e1ef8a9c2cc563728e8fcb7caf6d39bc05c7a576015894d4cd097776a3c2898e4167cf8f778e088f8ed7441b800761f308330cf1b69cbf14cf13e2add08c3b8145f9bea8cbc95af4da5d59764016aba28212dd15f8fe2a722e0089daaf8d78a65e384e2842bd16eb7a80ae0bb5ad9923424b7b3aa563ac0625608e29318defa60a31297f89102d51ef6f81b41b101fcf8791749059a60597c814c0936c734b"]], 0x2a, 0x0, 0x0}) 08:35:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 08:35:55 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d8"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 726.438786][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 726.444632][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 726.480523][T14175] binder: 14166:14175 ioctl c0306201 20000140 returned -14 [ 726.488545][T14171] binder: 14170:14171 ERROR: BC_REGISTER_LOOPER called without request [ 726.499867][T13002] binder: release 14173:14174 transaction 6724 out, still active [ 726.508265][T13002] binder: undelivered TRANSACTION_COMPLETE [ 726.516528][T14176] binder: BINDER_SET_CONTEXT_MGR already set 08:35:55 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d8"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 726.523232][T14171] binder: 14170:14171 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 726.523735][T14177] binder: 14166:14177 ioctl c0306201 20000140 returned -14 [ 726.534706][T14176] binder: 14166:14176 ioctl 40046207 0 returned -16 [ 726.546465][T14171] binder: 14170:14171 got reply transaction with no transaction stack [ 726.555633][T14171] binder_transaction: 25 callbacks suppressed [ 726.555651][T14171] binder: 14170:14171 transaction failed 29201/-71, size 0-0 line 2900 08:35:55 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200), 0x0, 0x0) [ 726.618860][T13002] binder: send failed reply for transaction 6724, target dead [ 726.639243][T13002] binder_release_work: 13 callbacks suppressed [ 726.639251][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 726.678802][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 726.684786][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 726.715881][T14184] binder: 14182:14184 transaction failed 29189/-22, size 0-0 line 2995 [ 726.726529][T13002] binder: undelivered TRANSACTION_ERROR: 29189 08:35:55 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x0, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 727.078803][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 727.084650][ C0] protocol 88fb is buggy, dev hsr_slave_1 08:35:56 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) setsockopt$packet_tx_ring(r3, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) io_getevents(0x0, 0x0, 0x0, 0x0, 0x0) ioctl$VT_SETMODE(0xffffffffffffffff, 0x5602, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) getsockopt(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) vmsplice(0xffffffffffffffff, 0x0, 0x0, 0x0) truncate(0x0, 0x0) ioctl$int_in(0xffffffffffffffff, 0x0, 0x0) ftruncate(r2, 0x2007fff) sendfile(r1, r2, &(0x7f0000d83ff8), 0x8000fffffffe) 08:35:56 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200), 0x0, 0x0) 08:35:56 executing program 2: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:35:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0}) 08:35:56 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed56"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:56 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x0, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 727.303049][T14197] binder: 14196:14197 transaction failed 29189/-22, size 0-0 line 2995 [ 727.312070][T14199] binder: 14195:14199 ERROR: BC_REGISTER_LOOPER called without request 08:35:56 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x800000000001) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:35:56 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{0x0}], 0x1, 0x0) [ 727.358429][T13002] binder: undelivered TRANSACTION_ERROR: 29189 [ 727.364947][T14199] binder: 14195:14199 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 727.406739][T14199] binder: 14195:14199 got reply transaction with no transaction stack [ 727.438220][T14199] binder: 14195:14199 transaction failed 29201/-71, size 0-0 line 2900 08:35:56 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed56"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 727.462906][T14211] binder_alloc: 14209: binder_alloc_buf, no vma [ 727.477421][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 727.478448][T14211] binder: 14209:14211 transaction failed 29189/-3, size 84-0 line 3148 08:35:56 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{0x0}], 0x1, 0x0) 08:35:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, &(0x7f0000000240)}) [ 727.596412][T14219] binder_alloc: 14209: binder_alloc_buf, no vma [ 727.607250][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 727.644199][T14219] binder: 14209:14219 transaction failed 29189/-3, size 84-0 line 3148 [ 727.674686][T14225] binder: 14221:14225 ERROR: BC_REGISTER_LOOPER called without request [ 727.684318][T13002] binder: undelivered TRANSACTION_ERROR: 29189 08:35:56 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000000)='/dev/snapshot\x00', 0x2000, 0x0) setsockopt$inet_sctp6_SCTP_FRAGMENT_INTERLEAVE(r1, 0x84, 0x12, &(0x7f0000000080)=0x2, 0x4) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ffb000/0x2000)=nil, 0x2000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000e29bf54"], 0x0, 0x0, 0x0}) ioctl$UI_SET_KEYBIT(r1, 0x40045565, 0xb9) [ 727.695901][T14225] binder: 14221:14225 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 727.704796][T14223] binder: 14215:14223 transaction failed 29189/-22, size 0-0 line 2995 [ 727.719749][T14225] binder: 14221:14225 got reply transaction with no transaction stack [ 727.754276][T14225] binder: 14221:14225 transaction failed 29201/-71, size 0-0 line 2900 [ 727.766991][T13002] binder: undelivered TRANSACTION_ERROR: 29189 [ 727.791681][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 727.802108][ T17] binder: release 14230:14231 transaction 6735 out, still active [ 727.822250][ T17] binder: undelivered TRANSACTION_COMPLETE [ 727.831423][T14231] binder: BINDER_SET_CONTEXT_MGR already set [ 727.848807][T14231] binder: 14230:14231 ioctl 40046207 0 returned -16 [ 727.855650][ T17] binder: send failed reply for transaction 6735, target dead [ 727.875627][T14232] binder: 14230:14232 transaction failed 29189/-22, size 0-0 line 2995 [ 727.884135][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 727.889966][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 727.900658][ T17] binder: undelivered TRANSACTION_ERROR: 29189 08:35:57 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) setsockopt$packet_tx_ring(r3, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) io_getevents(0x0, 0x0, 0x0, 0x0, 0x0) ioctl$VT_SETMODE(0xffffffffffffffff, 0x5602, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) getsockopt(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) vmsplice(0xffffffffffffffff, 0x0, 0x0, 0x0) truncate(0x0, 0x0) ioctl$int_in(0xffffffffffffffff, 0x0, 0x0) ftruncate(r2, 0x2007fff) sendfile(r1, r2, &(0x7f0000d83ff8), 0x8000fffffffe) 08:35:57 executing program 3: openat$ptmx(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx\x00', 0x0, 0x0) epoll_create1(0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000300)='fdinfo/4\x00') preadv(r0, &(0x7f0000000700)=[{&(0x7f0000000600)=""/246, 0x2b7}], 0x1, 0x0) preadv(r0, &(0x7f0000000200)=[{0x0}], 0x1, 0x0) 08:35:57 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, &(0x7f0000000240)}) 08:35:57 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed56"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:57 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) r2 = openat$snapshot(0xffffffffffffff9c, &(0x7f00000006c0)='/dev/snapshot\x00', 0x800, 0x0) recvmmsg(0xffffffffffffff9c, &(0x7f0000002100)=[{{0x0, 0x0, &(0x7f0000000840)=[{&(0x7f00000007c0)=""/103, 0x67}], 0x1, &(0x7f0000000880)=""/4096, 0x1000}, 0x3f}, {{0x0, 0x0, &(0x7f00000019c0)=[{&(0x7f0000001880)=""/4, 0x4}, {&(0x7f00000018c0)=""/252, 0xfc}], 0x2, &(0x7f0000001a00)=""/64, 0x40}, 0x8}, {{&(0x7f0000001a40)=@ll={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @dev}, 0x80, &(0x7f0000001f80)=[{&(0x7f0000001ac0)=""/222, 0xde}, {&(0x7f0000001bc0)=""/179, 0xb3}, {&(0x7f0000001c80)=""/115, 0x73}, {&(0x7f0000001d00)=""/56, 0x38}, {&(0x7f0000001d40)=""/188, 0xbc}, {&(0x7f0000001e00)=""/237, 0xed}, {&(0x7f0000001f00)=""/94, 0x5e}], 0x7, &(0x7f0000002000)=""/253, 0xfd}, 0x80}], 0x3, 0x0, &(0x7f00000021c0)={0x0, 0x989680}) sendmsg$can_raw(r2, &(0x7f0000002300)={&(0x7f0000002200)={0x1d, r3}, 0x10, &(0x7f00000022c0)={&(0x7f0000002240)=@canfd={{0x0, 0x1000, 0x0, 0x3}, 0x18, 0x3, 0x0, 0x0, "8861a21e1eeee7ab4bd5c6830a1a4e50d598912f55d7607f297892daf959568bcff0dc8c1aa56af4152eec726781299d2dfe777a78cf24d1756dc1f843c95ddb"}, 0x48}, 0x1, 0x0, 0x0, 0x8000}, 0x1) r4 = syz_open_dev$vcsn(&(0x7f0000000100)='/dev/vcs#\x00', 0x6, 0x88001) ioctl$SG_GET_LOW_DMA(r4, 0x227a, &(0x7f0000000140)) r5 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm-monitor\x00', 0x3ff, 0x0) write$uinput_user_dev(r5, &(0x7f0000000240)={'syz0\x00', {0x80000001, 0x1, 0x20, 0x1}, 0x22, [0x4, 0x6, 0x5, 0x1f, 0xffffffff, 0x10000, 0x101, 0x10000, 0x1, 0x100000000, 0xfffffffffffffe01, 0x6, 0x1, 0x9, 0x606f3577, 0xed8d, 0x1, 0x17, 0x0, 0x4, 0x7, 0xffff, 0x5, 0xffffffffffffffff, 0x5, 0x7fff, 0x1f, 0x80, 0x3, 0x9, 0x80000000, 0x7, 0x273, 0x7, 0xffffffff, 0x96, 0x80000001, 0x1, 0x200, 0x4, 0x6, 0x4e6, 0x2, 0x9, 0x400, 0x0, 0x7, 0x859, 0xab9, 0xffffffffffffffff, 0x1ff, 0xa6, 0x4, 0x3, 0xf2a6, 0x4, 0x4, 0x2, 0x1, 0x5d9853a8, 0xa5b6, 0x5, 0x7fffffff, 0xfffffffffffffffb], [0x6, 0x4, 0x2, 0x4, 0x7f, 0xfffffffffffff402, 0x6, 0x7, 0x101, 0x8, 0x0, 0xfffffffffffffff8, 0x5, 0x1, 0xfffffffffffeffff, 0x3, 0x8e5, 0xfab, 0xffffffffffffff1e, 0x100000000, 0xffffffffffff14bd, 0x4, 0x81, 0x3f, 0x3, 0x6, 0x401, 0x35, 0x84d7, 0x8, 0x2, 0xfffffffffffffffd, 0x6, 0x100000001, 0x4, 0x0, 0x8, 0x8, 0x5, 0x6, 0x3f, 0x508, 0x6, 0x7f, 0x5, 0x7, 0x5, 0x40, 0x7, 0x0, 0x79, 0x0, 0x6, 0x8, 0x8, 0x4000800000, 0x8, 0x1f, 0x0, 0x4, 0x5, 0x2, 0x7, 0x4], [0xffff, 0x5, 0xfffffffffffffffb, 0x76a1, 0x8000, 0x100000001, 0x100000000, 0xfffffffffffffffa, 0x8600, 0x9, 0x2, 0x0, 0x3, 0x4, 0xffffffffffffffff, 0x5, 0x1000, 0x77f0, 0xff, 0xff, 0x5, 0x7f, 0x3f9b6cdc, 0x7fffffff, 0x6, 0x2, 0x2, 0xa53, 0xb1ec, 0x1, 0x86, 0x1f, 0x9, 0xfff, 0x5, 0x4, 0xfea, 0x100000000, 0x1, 0x9, 0xfffffffffffffff9, 0xab31, 0x2, 0x2, 0x200, 0x8001, 0x0, 0x5, 0x80000000, 0x6, 0x9, 0x0, 0x4, 0xff, 0x6, 0x2, 0x12000000000, 0x4, 0x80000001, 0x1f, 0x7, 0x6, 0xdaee, 0x80000001], [0x200, 0x5, 0x1f, 0x3, 0x1a, 0x7f, 0x5, 0x8, 0xe6f, 0x9, 0x80000001, 0x80000001, 0x9, 0x287, 0x8, 0x1f, 0x1, 0x4, 0x8, 0x1, 0x2, 0x7f, 0x7f, 0x2, 0x4, 0x4, 0x8, 0x4, 0xff, 0x6, 0x5, 0x0, 0x383549f9, 0x3, 0xfc92, 0x7ff, 0x100000001, 0x5, 0xfffffffffffffeff, 0x100000001, 0x99, 0x5, 0x0, 0x9, 0xf23, 0x1, 0x8, 0xc7, 0xe5, 0x8, 0xd444, 0xb4e, 0x401, 0xffff, 0x80000000, 0x6, 0x2, 0x676, 0x3, 0x800, 0x5eaf746f, 0x79, 0x100000000, 0x6]}, 0x45c) r6 = semget(0x3, 0x3, 0x240) semtimedop(r6, &(0x7f0000000000)=[{0x5, 0x90000000000, 0x800}, {0x2, 0x800, 0x1000}, {0x3, 0x4694ab39, 0x1800}, {0x4, 0xffffffffffffffff, 0x1800}, {0x0, 0xc6}, {0x3, 0x95, 0x1800}, {0x4, 0x8, 0x1000}, {0x4, 0x3f, 0x1000}], 0x8, &(0x7f0000000080)={0x77359400}) ioctl$TCSETXW(r5, 0x5435, &(0x7f00000001c0)={0x6a, 0xc00000000000000, [0xfffffffffffffff9, 0x4, 0x401, 0x100000000, 0x3], 0x4}) 08:35:57 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 728.365924][T14245] binder: 14239:14245 got transaction with invalid data ptr [ 728.372652][T14249] binder: 14244:14249 ERROR: BC_REGISTER_LOOPER called without request [ 728.384700][T14243] binder: 14242:14243 got transaction with unaligned buffers size, 86 08:35:57 executing program 3: bpf$PROG_LOAD(0x5, &(0x7f0000b7a000)={0x8, 0x4, &(0x7f0000346fc8)=@framed={{}, [@alu={0x8000000201a7f19, 0x0, 0x6}]}, &(0x7f0000f6bffb)='GPL\x00', 0x1, 0xfb, &(0x7f00001a7f05)=""/251}, 0x48) [ 728.414793][T14245] binder: 14239:14245 transaction failed 29201/-14, size 84-0 line 3180 [ 728.429481][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 728.434278][T14249] binder: 14244:14249 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 728.445259][T14249] binder: 14244:14249 got reply transaction with no transaction stack 08:35:57 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed5696"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:57 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, &(0x7f0000000240)}) 08:35:57 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f00000000c0)=ANY=[@ANYBLOB="11634840000035a97e0642f2090102000000fc00000000000000dd8651ad81b9ad0e29bf547da0a6e79cf2aee35d92073e2d61baf823554fbcd0a8f3d1f8357c0a035b61e2493f6b44db1e56fa484e9be5b12e147782a04071da43d47dee3c119b20e940468ea27e1be98d02e83cde76a52e1acc979a7bd09682ed8441f8a595f8555b36ad096fca454885f55e74ed0c51b4ec95c662990a54e85c174a528ceb309090ed6d30b373bf5bb636a0dbd1f76370585f3b1765b95b0a0d1b676d0080ee298c4537546685790466bd56c07206b7afcb125460d9924d0dc4edff8a4edbeefca00f1934408a5bd9247442e8e8e0e252345e"], 0x0, 0x0, 0x0}) r2 = creat(&(0x7f0000000000)='./file0\x00', 0x54) ioctl$SG_GET_VERSION_NUM(r2, 0x2282, &(0x7f0000000080)) [ 728.602643][T14260] binder_alloc: 14239: binder_alloc_buf, no vma 08:35:57 executing program 3: r0 = eventfd2(0x4431, 0x0) pipe(&(0x7f0000000480)={0xffffffffffffffff, 0xffffffffffffffff}) write(r2, &(0x7f00000001c0), 0xfffffef3) write(r2, 0x0, 0x0) read(r1, &(0x7f0000000200)=""/250, 0x50c7e3e3) r3 = socket$inet(0x2, 0x4000000000000001, 0x0) r4 = creat(&(0x7f0000000300)='./file0\x00', 0x2) bind$inet(r3, &(0x7f0000000040)={0x2, 0x4e23, @multicast2}, 0x10) setsockopt$netlink_NETLINK_RX_RING(r4, 0x10e, 0x6, &(0x7f0000000380)={0x0, 0x0, 0x7f, 0x5}, 0x10) setfsgid(0xffffffffffffffff) timerfd_gettime(r1, &(0x7f0000000400)) sendto$inet(r3, 0x0, 0x0, 0x20000802, &(0x7f0000000100)={0x2, 0x4e23, @dev={0xac, 0x14, 0x14, 0xa}}, 0x10) read(r3, &(0x7f0000000200)=""/13, 0xfffffffffffffdb4) set_thread_area(&(0x7f00000000c0)={0x7, 0x0, 0xffffffffffffffff, 0x0, 0x6, 0x0, 0x3ff, 0x80000000, 0x8, 0x79fc}) fsetxattr$security_evm(r3, &(0x7f0000000080)='security.evm\x00', &(0x7f00000001c0)=ANY=[@ANYBLOB="0464"], 0x1, 0x0) setsockopt$SO_BINDTODEVICE(r3, 0x1, 0x19, &(0x7f0000000000)='ip6_vti0\x00', 0x10) fstat(r0, &(0x7f0000001740)) ioctl$sock_SIOCOUTQ(r3, 0x5411, &(0x7f0000000440)) write$FUSE_INTERRUPT(r3, &(0x7f0000000140)={0x10}, 0xfffffd2a) getsockopt$inet_IP_IPSEC_POLICY(r2, 0x0, 0x10, &(0x7f0000001540)={{{@in6=@initdev, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in=@remote}}, &(0x7f0000000180)=0xe8) setsockopt$SO_BINDTODEVICE(r3, 0x1, 0x19, 0x0, 0x0) r6 = syz_genetlink_get_family_id$team(&(0x7f00000004c0)='team\x00') sendmsg$TEAM_CMD_OPTIONS_SET(r1, &(0x7f0000000a40)={&(0x7f0000000340)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000a00)={&(0x7f0000000500)={0x114, r6, 0x800, 0x70bd2a, 0x25dfdbfc, {}, [{{0x8, 0x1, r5}, {0xb4, 0x2, [{0x3c, 0x1, @user_linkup={{{0x24, 0x1, 'user_linkup\x00'}, {0x8}, {0x4}}, {0x8, 0x6, r5}}}, {0x3c, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8}, {0xc, 0x4, [{0x9, 0x4, 0xfff, 0x8000}]}}}, {0x38, 0x1, @mcast_rejoin_interval={{0x24, 0x1, 'mcast_rejoin_interval\x00'}, {0x8}, {0x8, 0x4, 0x7}}}]}}, {{0x8, 0x1, r5}, {0x3c, 0x2, [{0x38, 0x1, @notify_peers_count={{0x24, 0x1, 'notify_peers_count\x00'}, {0x8}, {0x8}}}]}}]}, 0x114}, 0x1, 0x0, 0x0, 0x20008001}, 0x80) fcntl$F_GET_FILE_RW_HINT(r2, 0x40d, &(0x7f00000003c0)) 08:35:57 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed5696"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 728.696101][T14267] binder: 14264:14267 ERROR: BC_REGISTER_LOOPER called without request [ 728.706181][T14268] binder: 14265:14268 got transaction to invalid handle [ 728.756046][T14267] binder: 14264:14267 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 728.768979][T14267] binder: 14264:14267 got reply transaction with no transaction stack [ 728.780199][T14268] binder: 14265:14268 got transaction to invalid handle 08:35:58 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) setsockopt$packet_tx_ring(r3, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) io_getevents(0x0, 0x0, 0x0, 0x0, 0x0) ioctl$VT_SETMODE(0xffffffffffffffff, 0x5602, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) getsockopt(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) vmsplice(0xffffffffffffffff, 0x0, 0x0, 0x0) truncate(0x0, 0x0) ioctl$int_in(0xffffffffffffffff, 0x0, 0x0) ftruncate(r2, 0x2007fff) 08:35:58 executing program 3: r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000740)='.\"cgropu\x00', 0x200002, 0x0) fchdir(r0) creat(&(0x7f0000000300)='./bus\x00', 0xf11f1f2585055e54) r1 = openat$selinux_policy(0xffffffffffffff9c, &(0x7f00000005c0)='/selinux/policy\x00', 0x0, 0x0) r2 = creat(&(0x7f0000000700)='./bus\x00', 0x0) fcntl$setstatus(r2, 0x4, 0x46c00) r3 = open(0x0, 0x141042, 0x0) pipe(0x0) write(0xffffffffffffffff, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(r2, 0x10e, 0x4, &(0x7f0000000200)=0xffffffffffffffc1, 0x4) read(0xffffffffffffffff, 0x0, 0x0) accept4$inet(r2, &(0x7f0000000080)={0x2, 0x0, @loopback}, &(0x7f00000001c0)=0x10, 0x800) setsockopt$inet_udp_int(r0, 0x11, 0x0, 0x0, 0x0) io_setup(0x0, &(0x7f0000000100)) unshare(0x4040000000) mknod$loop(&(0x7f0000000000)='./file0\x00', 0x0, 0xffffffffffffffff) mount(&(0x7f00000008c0)=ANY=[], 0x0, 0x0, 0x1000, 0x0) ioctl$sock_SIOCGIFCONF(r2, 0x8912, &(0x7f0000000240)=@req={0x20, &(0x7f0000000540)={'syz_tun\x00', @ifru_mtu=0x4}}) write$binfmt_elf64(r1, &(0x7f0000000480)=ANY=[@ANYPTR=&(0x7f0000000400)=ANY=[]], 0x4) syz_genetlink_get_family_id$tipc2(&(0x7f00000002c0)='TIPCv2\x00') r4 = creat(&(0x7f0000000180)='./bus\x00', 0x20) setsockopt$inet_MCAST_JOIN_GROUP(r4, 0x0, 0x2a, &(0x7f0000000380)={0x7fffffff, {{0x2, 0x4e22, @dev={0xac, 0x14, 0x14, 0x11}}}}, 0x84) io_setup(0x2000000000000000, 0x0) syz_genetlink_get_family_id$ipvs(&(0x7f0000000580)='IPVS\x00') open(&(0x7f0000000340)='./file0\x00', 0x610000, 0x5c) sendmsg$IPVS_CMD_GET_INFO(r3, &(0x7f0000000800)={&(0x7f00000006c0)={0x10, 0x0, 0x0, 0x40000}, 0xc, &(0x7f00000007c0)={&(0x7f0000000500)=ANY=[]}}, 0x8000) ioctl$TIOCSWINSZ(0xffffffffffffffff, 0x5414, &(0x7f0000000040)={0x0, 0x3, 0x10001, 0x5}) 08:35:58 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = epoll_create1(0x0) r3 = epoll_create1(0x0) r4 = timerfd_create(0x0, 0x0) epoll_ctl$EPOLL_CTL_ADD(r3, 0x1, r2, &(0x7f00000000c0)) dup3(r4, r3, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:35:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x52, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3"}) 08:35:58 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed5696"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:58 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 729.399260][T14286] binder: 14282:14286 ERROR: BC_REGISTER_LOOPER called without request 08:35:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x52, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3"}) [ 729.445853][T14289] binder: 14283:14289 got transaction with invalid data ptr 08:35:58 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000d78651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) 08:35:58 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, 0x0, 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 729.606344][T14304] binder: 14297:14304 ERROR: BC_REGISTER_LOOPER called without request [ 729.639539][T14304] binder_thread_write: 1 callbacks suppressed [ 729.639557][T14304] binder: 14297:14304 DecRefs 0 refcount change on invalid ref 4 ret -22 08:35:58 executing program 3: [ 729.664857][T14308] binder: 14306:14308 got transaction with invalid data ptr [ 729.680777][T14308] binder: BINDER_SET_CONTEXT_MGR already set [ 729.687101][T14308] binder: 14306:14308 ioctl 40046207 0 returned -16 [ 729.706521][T14310] binder: 14306:14310 got transaction with invalid data ptr 08:35:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x52, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3"}) 08:35:58 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, 0x0, 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:58 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) setsockopt$packet_tx_ring(r3, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) io_getevents(0x0, 0x0, 0x0, 0x0, 0x0) ioctl$VT_SETMODE(0xffffffffffffffff, 0x5602, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) getsockopt(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) vmsplice(0xffffffffffffffff, 0x0, 0x0, 0x0) truncate(0x0, 0x0) ioctl$int_in(0xffffffffffffffff, 0x0, 0x0) 08:35:58 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000140)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54f124d6066e2d4c3a34d00237644df040aa"], 0x0, 0x0, 0x0}) r2 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20\x00', 0x200, 0x0) ioctl$VIDIOC_QBUF(r2, 0xc058560f, &(0x7f00000000c0)={0x34, 0xf, 0x4, 0x4, {}, {0x7, 0x2, 0x8001, 0x7, 0x8, 0x3, "e9270f31"}, 0x8000, 0x3, @planes=&(0x7f0000000080)={0x1, 0xfffffffffffff83f, @userptr=0x1, 0x9}, 0x4}) ioctl$IMGETCOUNT(r2, 0x80044943, &(0x7f0000000180)) ioctl$DRM_IOCTL_INFO_BUFS(r2, 0xc0106418, &(0x7f00000001c0)={0x9, 0xf08f, 0x5, 0x1, 0x8, 0x7}) [ 729.866348][T14318] binder: 14315:14318 ERROR: BC_REGISTER_LOOPER called without request 08:35:58 executing program 3: [ 729.907604][T14318] binder: 14315:14318 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 729.926122][T14318] binder_transaction: 2 callbacks suppressed [ 729.926132][T14318] binder: 14315:14318 got reply transaction with no transaction stack 08:35:58 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, 0x0, 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x7b, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3"}) [ 730.172588][T14335] binder: 14332:14335 ERROR: BC_REGISTER_LOOPER called without request [ 730.192637][T14335] binder: 14332:14335 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 730.201545][T14335] binder: 14332:14335 got reply transaction with no transaction stack 08:35:59 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:35:59 executing program 3: 08:35:59 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) setsockopt$packet_tx_ring(r3, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) io_getevents(0x0, 0x0, 0x0, 0x0, 0x0) ioctl$VT_SETMODE(0xffffffffffffffff, 0x5602, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) getsockopt(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) vmsplice(0xffffffffffffffff, 0x0, 0x0, 0x0) truncate(0x0, 0x0) 08:35:59 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_status(0xffffffffffffff9c, &(0x7f0000000000)='/selinux/status\x00', 0x0, 0x0) ioctl$TUNSETVNETHDRSZ(r1, 0x400454d8, &(0x7f0000000080)=0x5) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) getsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r1, 0x84, 0x6, &(0x7f00000000c0)={0x0, @in6={{0xa, 0x4e20, 0x4, @rand_addr="8ffa671c2145458f4276e0b46f1c397c", 0x7f}}}, &(0x7f00000001c0)=0x84) prctl$PR_SVE_SET_VL(0x32, 0x6b34) getsockopt$inet_sctp_SCTP_CONTEXT(r1, 0x84, 0x11, &(0x7f0000000240)={r3, 0x5}, &(0x7f0000000280)=0x8) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:35:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x7b, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3"}) 08:35:59 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:59 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r2, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r2, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r3, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) r4 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r2, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r4, 0x300, 0x70bd28, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x80000001}}, ["", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x4008041) setsockopt$RXRPC_SECURITY_KEY(r2, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000280)=ANY=[@ANYBLOB="1163484000000000000000ff7f00020000000000000000000000dd8651ad81a1ad0e29bf54bebc70823e633a6039853876f184e8134057917db1aae4f67a09d8a69d182d350f9d40d144ab8ff14e81bee155255cc363805d9ab603412c30288ddc4b17fdae326da7688b75fe2c4fe372af8368b3b9fef2994f8da32a898fe437adc821e1920cfdafca315a10967cdc04401d2f579f2122319ab4269398add6b90861e28c5afd6f059665d74395c55a56c9647f783417035ec24b82dc557e366dbc883b7bd6098e82d17916fad5293f5a8894f528e6a123976c20f519c42e6a6b5cd71b803affc6099bbf0000000001000000"], 0x0, 0x0, 0x0}) 08:35:59 executing program 3: [ 730.374707][T14344] binder: 14340:14344 ERROR: BC_REGISTER_LOOPER called without request [ 730.397569][T14344] binder: 14340:14344 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 730.412962][T14344] binder: 14340:14344 got reply transaction with no transaction stack 08:35:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x7b, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3"}) 08:35:59 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:35:59 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) setsockopt$packet_tx_ring(r3, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) io_getevents(0x0, 0x0, 0x0, 0x0, 0x0) ioctl$VT_SETMODE(0xffffffffffffffff, 0x5602, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) getsockopt(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) vmsplice(0xffffffffffffffff, 0x0, 0x0, 0x0) 08:35:59 executing program 3: [ 730.630392][T14354] binder: 14350:14354 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 730.672752][T14354] binder: 14350:14354 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 730.683310][T14360] binder: 14359:14360 ERROR: BC_REGISTER_LOOPER called without request [ 730.695922][T14354] binder: 14350:14354 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 730.711133][T14360] binder: 14359:14360 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 730.714779][T14354] binder: 14350:14354 got transaction to invalid handle [ 730.736643][T14360] binder: 14359:14360 got reply transaction with no transaction stack [ 730.745165][T14367] binder: BINDER_SET_CONTEXT_MGR already set [ 730.753452][T14367] binder: 14350:14367 ioctl 40046207 0 returned -16 08:36:00 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:00 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) setsockopt$packet_tx_ring(r3, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) io_getevents(0x0, 0x0, 0x0, 0x0, 0x0) ioctl$VT_SETMODE(0xffffffffffffffff, 0x5602, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) getsockopt(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) 08:36:00 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x8f, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32"}) 08:36:00 executing program 3: 08:36:00 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x2000000000) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) socket$caif_seqpacket(0x25, 0x5, 0x3) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf540f532e6a2e4ff2aaefe5b0bfceaefee26e4e49fec95c1bc7de135fb81ff43e10a44704436a15a5feb46b4419636c54662833f04ade86093855db8713a1704aec1a8c1d627cf2464fdbf585c893b2"], 0x0, 0x0, 0x0}) 08:36:00 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:36:00 executing program 3: [ 731.226100][T14383] binder: 14378:14383 ERROR: BC_REGISTER_LOOPER called without request [ 731.236073][T14384] binder_alloc: 14379: binder_alloc_buf size 5740120 failed, no address space [ 731.251807][T14383] binder: 14378:14383 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 731.260699][T14386] binder: BINDER_SET_CONTEXT_MGR already set [ 731.268990][T14383] binder: 14378:14383 got reply transaction with no transaction stack [ 731.278456][T14386] binder: 14379:14386 ioctl 40046207 0 returned -16 [ 731.288651][T14384] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 16384 (num: 1 largest: 16384) 08:36:00 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x8f, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32"}) 08:36:00 executing program 3: 08:36:00 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="11634840000100000000000000000280800000ffffff7f7400009d8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:00 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) setsockopt$packet_tx_ring(r3, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) io_getevents(0x0, 0x0, 0x0, 0x0, 0x0) ioctl$VT_SETMODE(0xffffffffffffffff, 0x5602, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) 08:36:00 executing program 0: syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r0 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r0, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) [ 731.485664][T14393] binder: 14390:14393 ERROR: BC_REGISTER_LOOPER called without request [ 731.519629][T14397] binder: 14394:14397 got transaction to invalid handle [ 731.540588][T14393] binder: 14390:14393 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 731.548746][T14401] binder: 14394:14401 got transaction to invalid handle [ 731.587207][T14401] binder_transaction: 31 callbacks suppressed [ 731.587226][T14401] binder: 14394:14401 transaction failed 29201/-22, size 84-0 line 2995 [ 731.592090][T14393] binder: 14390:14393 got reply transaction with no transaction stack [ 731.631715][T14393] binder: 14390:14393 transaction failed 29201/-71, size 0-0 line 2900 08:36:01 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(0xffffffffffffffff, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:01 executing program 3: 08:36:01 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x8f, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32"}) 08:36:01 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = dup2(r0, r0) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000200)={0xfffffffffffffe93, 0x0, &(0x7f00000003c0)=ANY=[], 0x0, 0x0, 0x0}) 08:36:01 executing program 0: syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r0 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r0, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:36:01 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) setsockopt$packet_tx_ring(r3, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) io_getevents(0x0, 0x0, 0x0, 0x0, 0x0) ioctl$VT_SETMODE(0xffffffffffffffff, 0x5602, 0x0) 08:36:01 executing program 3: [ 732.151146][T14421] binder: 14416:14421 ERROR: BC_REGISTER_LOOPER called without request [ 732.176024][T14421] binder: 14416:14421 DecRefs 0 refcount change on invalid ref 4 ret -22 08:36:01 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = socket(0x11, 0x400000400000003, 0x0) setsockopt(r2, 0x0, 0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000400000000000020000000000000000090000dd8651ad81a16d910d9e54"], 0x0, 0x0, 0x0}) [ 732.207779][T14421] binder: 14416:14421 got reply transaction with no transaction stack [ 732.229919][T14421] binder: 14416:14421 transaction failed 29201/-71, size 0-0 line 2900 08:36:01 executing program 0: syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r0 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r0, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:36:01 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) setsockopt$packet_tx_ring(r3, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) io_getevents(0x0, 0x0, 0x0, 0x0, 0x0) 08:36:01 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x99, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a4"}) 08:36:01 executing program 3: [ 732.363300][T14429] binder: 14428:14429 got transaction with invalid data ptr [ 732.385178][T14429] binder: 14428:14429 transaction failed 29201/-14, size 84-0 line 3180 [ 732.498885][ T17] binder_release_work: 25 callbacks suppressed [ 732.498903][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 732.499175][T14440] binder: 14439:14440 ERROR: BC_REGISTER_LOOPER called without request [ 732.529502][T14440] binder: 14439:14440 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 732.544105][T14440] binder: 14439:14440 got reply transaction with no transaction stack [ 732.553836][T14440] binder: 14439:14440 transaction failed 29201/-71, size 0-0 line 2900 [ 732.562774][T14429] binder: BINDER_SET_CONTEXT_MGR already set [ 732.574875][T14444] binder: 14428:14444 transaction failed 29189/-22, size 84-0 line 2995 [ 732.583853][T14429] binder: 14428:14429 ioctl 40046207 0 returned -16 [ 732.634468][T13002] binder: undelivered TRANSACTION_ERROR: 29189 08:36:01 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(0xffffffffffffffff, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:01 executing program 3: 08:36:01 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) 08:36:01 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x99, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a4"}) 08:36:01 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) r2 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x8, 0x80) ioctl$VIDIOC_SUBDEV_S_EDID(r2, 0xc0285629, &(0x7f00000000c0)={0x0, 0x9, 0x1f, [], &(0x7f0000000080)=0x8}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="1163480100180000000000000000020000000000000000000000dd0519000000000000bf54f5968a8656c076412e8172f7da5db60220f3dd3f564e6a8f8f9d7f817ce67444c039464141c0277621545b0c2f9f42544d26229f32665f4f476e106d60e335646efd631efbf9afdf32bd1dae8591ec493b29a8"], 0x0, 0x0, 0x0}) 08:36:01 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) setsockopt$packet_tx_ring(r3, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001, 0x10000, 0x1}, 0x1c) 08:36:01 executing program 3: [ 732.975270][T14460] binder: 14455:14460 ERROR: BC_REGISTER_LOOPER called without request [ 733.001099][T14460] binder: 14455:14460 got reply transaction with no transaction stack [ 733.001226][T14462] binder: 14458:14462 ioctl c0306201 0 returned -14 08:36:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x99, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a4"}) [ 733.031661][T14461] binder: 14457:14461 unknown command 21521169 [ 733.037904][T14461] binder: 14457:14461 ioctl c0306201 20000200 returned -22 [ 733.059925][T14460] binder: 14455:14460 transaction failed 29201/-71, size 0-0 line 2900 08:36:02 executing program 3: 08:36:02 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, 0x0, 0x0) 08:36:02 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) [ 733.141434][T14461] binder: BINDER_SET_CONTEXT_MGR already set [ 733.157631][T14467] binder: 14457:14467 unknown command 21521169 [ 733.201582][T14461] binder: 14457:14461 ioctl 40046207 0 returned -16 [ 733.235003][T14467] binder: 14457:14467 ioctl c0306201 20000200 returned -22 08:36:02 executing program 3: [ 733.265130][T14473] binder: 14466:14473 got reply transaction with no transaction stack [ 733.298884][T14473] binder: 14466:14473 transaction failed 29201/-71, size 0-0 line 2900 [ 733.365350][T14475] binder: 14474:14475 ioctl c0306201 0 returned -14 08:36:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x9e, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03"}) 08:36:02 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) r2 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x101480, 0x0) r3 = syz_genetlink_get_family_id$SEG6(&(0x7f00000000c0)='SEG6\x00') sendmsg$SEG6_CMD_SET_TUNSRC(r2, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x20004400}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x30, r3, 0x404, 0x70bd25, 0x25dfdbfd, {}, [@SEG6_ATTR_DST={0x14, 0x1, @mcast1}, @SEG6_ATTR_HMACKEYID={0x8, 0x3, 0x4}]}, 0x30}, 0x1, 0x0, 0x0, 0x40}, 0x40000) 08:36:02 executing program 3: 08:36:02 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) ioctl$UI_GET_SYSNAME(r2, 0x8040552c, &(0x7f0000000140)) 08:36:02 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(0xffffffffffffffff, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:02 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) [ 733.827802][T14495] binder: 14491:14495 got transaction with invalid data ptr [ 733.836904][T14494] binder: 14493:14494 ioctl c0306201 0 returned -14 [ 733.846405][T14495] binder: 14491:14495 transaction failed 29201/-14, size 84-0 line 3180 [ 733.856158][T14497] binder: 14490:14497 transaction failed 29201/-71, size 0-0 line 2900 [ 733.858906][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:02 executing program 3: [ 733.879360][T14495] binder: BINDER_SET_CONTEXT_MGR already set [ 733.885411][T14495] binder: 14491:14495 ioctl 40046207 0 returned -16 [ 733.896834][ T17] binder: undelivered TRANSACTION_ERROR: 29189 08:36:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x9e, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03"}) 08:36:02 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) r2 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/btrfs-control\x00', 0x1e1803, 0x0) connect$llc(r2, &(0x7f0000000080)={0x1a, 0x32f, 0x3, 0x1, 0x2, 0x9a2, @broadcast}, 0x10) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000617c0000000200000000bf5400"/37], 0x0, 0x0, 0x0}) 08:36:02 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) 08:36:02 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) 08:36:03 executing program 3: 08:36:03 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x9e, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03"}) [ 734.148926][T13002] binder: undelivered TRANSACTION_ERROR: 29189 [ 734.156663][T14518] binder_alloc: 14507: binder_alloc_buf, no vma [ 734.165854][T13002] binder: undelivered TRANSACTION_ERROR: 29189 08:36:03 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/sync_persist_mode\x00', 0x2, 0x0) r3 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/autofs\x00', 0x400, 0x0) ioctl$ION_IOC_ALLOC(r2, 0xc0184900, &(0x7f00000000c0)={0x2, 0x2, 0x1, r3}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:03 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) 08:36:03 executing program 3: [ 734.385059][T14531] binder: 14525:14531 got transaction with invalid data ptr [ 734.424919][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 734.425274][T14537] binder: BINDER_SET_CONTEXT_MGR already set [ 734.439153][T14537] binder: 14525:14537 ioctl 40046207 0 returned -16 08:36:03 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x0) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:03 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa1, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db2267"}) 08:36:03 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) 08:36:03 executing program 3: 08:36:03 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f00000001c0)='net/ptype\x00') read$alg(r1, &(0x7f0000000080)=""/202, 0xca) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0xfffffffffffffffd) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:03 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) [ 734.763440][T14548] binder_thread_write: 4 callbacks suppressed [ 734.763451][T14548] binder: 14542:14548 ERROR: BC_REGISTER_LOOPER called without request [ 734.782660][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 734.795534][T14548] binder_thread_write: 5 callbacks suppressed [ 734.795550][T14548] binder: 14542:14548 DecRefs 0 refcount change on invalid ref 4 ret -22 08:36:03 executing program 3: 08:36:03 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)=ANY=[], 0x0, 0x0, 0x0}) [ 734.818820][ T17] binder: undelivered TRANSACTION_ERROR: 29189 08:36:03 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa1, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db2267"}) 08:36:03 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)=ANY=[], 0x0, 0x0, 0x0}) 08:36:03 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) ioctl$EVIOCSABS3F(r2, 0x401845ff, 0x0) 08:36:03 executing program 3: [ 735.089182][T14566] binder: 14560:14566 ERROR: BC_REGISTER_LOOPER called without request [ 735.144041][T14566] binder: 14560:14566 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 735.174663][T14566] binder_transaction: 4 callbacks suppressed [ 735.174674][T14566] binder: 14560:14566 got reply transaction with no transaction stack 08:36:04 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x0) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:04 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x2000)=nil, 0x2000, 0x100, 0x20011, r0, 0x0) r2 = dup3(r0, r1, 0x80000) setsockopt$l2tp_PPPOL2TP_SO_LNSMODE(r2, 0x111, 0x4, 0x1, 0x4) ioctl$SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT(r2, 0x40505331, &(0x7f0000000080)={{0x80, 0x8001}, {0x10000, 0x800}, 0x7, 0x5, 0x5}) sendmsg$nl_route_sched(r2, &(0x7f0000000140)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1050021}, 0xc, &(0x7f0000000100)={&(0x7f0000000240)=ANY=[@ANYBLOB="58020000310000092cbd7000fddbdf250000000068000100100017000000080003000300000000001400160000000c0001006d697272656400000000100009000000080003000100008000001000090000000800030000000000000010001200000008000100696665000000100012000000080001006966650000006c000100100005000000080003000400000000001400050000000c000100736b626d6f64000000001000050000000800010062706600000014000b0000000c0001006761637400000000000010001a0040000800030008000000000010001b00000008000300070000000000580001001400130000000c000100736b626564697400000010000d000000080003000200000000001000060000000800030006000000000010001e0000000800030008000000000010000a0000000800010069707400005e6e71cd91db9914000000080003007130000000001000110000000800030001800000000014000f0000000c00010073616d706c65000000001400110000000c0001006d6972726564000000001000110000000800030004000000000010001b0000000800030000100000000010001700000008000100627066000000100009000000080003000600000000001000110000000800030040000000000010001100000008000300d6e20000000028000100100009000000080003000700000000001400010000000c000100736b626d6f6400000000440001001400120000000c000100706f6c696365000000001400190000000c0001006d69727265640000000018001900000010000100636f6e6e6d61726b000000000000"], 0x258}, 0x1, 0x0, 0x0, 0x20000000}, 0x1) ioctl$UI_SET_PROPBIT(r2, 0x4004556e, 0x6) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000041f00363a46dd7acf711a4da0a599f000200000000000000"], 0x0, 0x0, 0x0}) 08:36:04 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) 08:36:04 executing program 3: 08:36:04 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)=ANY=[], 0x0, 0x0, 0x0}) 08:36:04 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa1, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db2267"}) 08:36:04 executing program 3: [ 735.570938][T14585] binder: 14580:14585 ioctl 40505331 20000080 returned -22 [ 735.585004][T14587] binder: 14582:14587 ERROR: BC_REGISTER_LOOPER called without request [ 735.598849][T14585] binder: 14580:14585 ioctl 4004556e 6 returned -22 [ 735.612108][T14587] binder: 14582:14587 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 735.625752][T14587] binder: 14582:14587 got reply transaction with no transaction stack [ 735.630123][T14585] binder: 14580:14585 got transaction to context manager from process owning it 08:36:04 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) prlimit64(0x0, 0x0, 0x0, 0x0) 08:36:04 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)=ANY=[], 0x0, 0x0, 0x0}) 08:36:04 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa2, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f"}) [ 735.691239][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 735.704675][T14585] binder: 14580:14585 ioctl 40505331 20000080 returned -22 08:36:04 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c", 0x11, 0x1400}], 0x0, 0x0) 08:36:04 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x800) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 735.874974][T14604] binder: 14599:14604 ERROR: BC_REGISTER_LOOPER called without request [ 735.922490][T14604] binder: 14599:14604 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 735.947309][T14604] binder: 14599:14604 got reply transaction with no transaction stack [ 735.981282][T14628] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 736.007749][T14705] binder: 14649:14705 got transaction with invalid data ptr [ 736.027260][T14628] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 736.044730][T14714] binder: 14649:14714 got transaction with invalid data ptr [ 736.068356][T14628] F2FS-fs (loop3): Invalid log blocks per segment (0) [ 736.068356][T14628] [ 736.120085][T14628] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock [ 736.201608][T14628] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 736.210250][T14628] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 736.233633][T14628] F2FS-fs (loop3): Invalid log blocks per segment (0) [ 736.233633][T14628] [ 736.264123][T14628] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:05 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) 08:36:05 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB], 0x0, 0x0, 0x0}) 08:36:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa2, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f"}) 08:36:05 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = geteuid() getresuid(&(0x7f0000000100)=0x0, &(0x7f0000000140), &(0x7f00000001c0)) lstat(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000000340)={{{@in=@multicast1, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@dev}, 0x0, @in=@loopback}}, &(0x7f0000000440)=0xe8) fstat(r0, &(0x7f0000000480)={0x0, 0x0, 0x0, 0x0, 0x0}) syz_mount_image$reiserfs(&(0x7f0000000000)='reiserfs\x00', &(0x7f0000000080)='./file0\x00', 0x3, 0x0, &(0x7f00000000c0), 0x20, &(0x7f0000000500)={[{@tails_on='tails=on'}, {@jdev={'jdev', 0x3d, './file0'}}, {@barrier_none='barrier=none'}, {@acl='acl'}, {@commit={'commit', 0x3d, 0x10645d36}}, {@balloc_hashed_reloc='block-allocator=hashed_relocation'}, {@barrier_flush='barrier=flush'}, {@barrier_flush='barrier=flush'}], [{@uid_gt={'uid>', r2}}, {@appraise='appraise'}, {@smackfsroot={'smackfsroot', 0x3d, '/dev/binder#\x00'}}, {@smackfsroot={'smackfsroot', 0x3d, '/dev/binder#\x00'}}, {@fowner_gt={'fowner>', r3}}, {@fowner_gt={'fowner>', r4}}, {@euid_eq={'euid', 0x3d, r5}}, {@uid_gt={'uid>', r6}}]}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="11630000076f75fcabc419000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:05 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x0) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:05 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c", 0x11, 0x1400}], 0x0, 0x0) 08:36:05 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x8001, 0x181000) getsockopt$inet_sctp6_SCTP_AUTOCLOSE(r2, 0x84, 0x4, &(0x7f0000000080), &(0x7f00000000c0)=0x4) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000280)=ANY=[@ANYBLOB="3163484000000000fb1800000000020000000000000000000000dd8651ad81a179933dfda54a079398cec095cbad4d96b85ad9f4a70bcf09e608c4034e88412b04b105e9d2751ab3c3485d5fba861918da5db8860a752b84822bfae5953846f03b50585a22e40cec3078765cfd5e7e321000affde34b705bcad65cc4e94f699db46cb520b1d8c1d62c7bc6cbbafb3e58c82e3e2e9c14500005b75d6cfd3f87c2af694e4f9034e3aa55ec93a38eadf43bde5a135c95761924f4cb77dd7d8566cf24ef59b55e6f26ada500627a94eaaebc01dee235631e10e6664aa7138e5f0d7e5fe06d34dbce3a8877711a949d"], 0x0, 0x0, 0x0}) [ 736.546241][T14732] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 736.554694][T14736] binder: 14727:14736 ERROR: BC_REGISTER_LOOPER called without request [ 736.567078][T14732] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 736.577299][T14732] F2FS-fs (loop3): Invalid log blocks per segment (0) [ 736.577299][T14732] 08:36:05 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r2 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r2, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) [ 736.598385][T14732] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock [ 736.604384][T14736] binder: 14727:14736 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 736.626447][T14736] binder: 14727:14736 got reply transaction with no transaction stack 08:36:05 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB], 0x0, 0x0, 0x0}) [ 736.658259][T14736] binder_transaction: 15 callbacks suppressed [ 736.658278][T14736] binder: 14727:14736 transaction failed 29201/-71, size 0-0 line 2900 [ 736.751159][T14739] binder: 14738:14739 unknown command 1078485809 [ 736.757570][T14739] binder: 14738:14739 ioctl c0306201 20000200 returned -22 08:36:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000140)={0x58, 0x0, &(0x7f00000000c0)=[@register_looper, @decrefs={0x40046307, 0x4}, @reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0xa2, 0x0, &(0x7f0000000240)="fa777b3d429dd4e8472d6712b032799dbaca85f11c5d9128871fceb6f90e0fac4d2469374234902890a2b675196809282896ab3f32599e2c8046b361cf4e376edcdcbcc87cac71e9c9cf49c44227d64e33f3c41afc3bc3668db9975dd9f98a57a0deb167fb8ed1d0fd6add657d567d288a18129a4dc0f062c74bb3350c3c122d00132bd78912922fe9f9edc521fa32bda5cb71a466568148a404a431aa03db22670f"}) 08:36:05 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c", 0x11, 0x1400}], 0x0, 0x0) [ 736.828146][T14748] binder: BINDER_SET_CONTEXT_MGR already set 08:36:05 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r2 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r2, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) [ 736.884123][T14749] binder: 14738:14749 unknown command 1078485809 [ 736.884138][T14748] binder: 14738:14748 ioctl 40046207 0 returned -16 08:36:05 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB], 0x0, 0x0, 0x0}) [ 736.949246][T14756] binder: 14753:14756 ERROR: BC_REGISTER_LOOPER called without request [ 736.983784][T14756] binder: 14753:14756 DecRefs 0 refcount change on invalid ref 4 ret -22 [ 737.033314][T14756] binder: 14753:14756 got reply transaction with no transaction stack [ 737.046123][T14761] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 737.057566][T14749] binder: 14738:14749 ioctl c0306201 20000200 returned -22 [ 737.067916][T14761] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock 08:36:06 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000ffc000/0x1000)=nil, 0x1000, 0x1, &(0x7f0000000000)=0x1, 0x1ff0, 0x3) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) r2 = syz_open_dev$usbmon(&(0x7f0000000280)='/dev/usbmon#\x00', 0x4, 0x0) r3 = accept$inet(r2, 0x0, &(0x7f0000000240)=0x5b) getsockopt$inet_mtu(r3, 0x0, 0xa, &(0x7f0000000100), &(0x7f0000000140)=0x4) get_thread_area(&(0x7f0000000080)={0x1000000, 0x20000800, 0xffffffffffffffff, 0x2359, 0xfff, 0x6, 0x200, 0x2, 0xd1, 0x1}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 737.078456][T14756] binder: 14753:14756 transaction failed 29201/-71, size 0-0 line 2900 [ 737.092991][T14761] F2FS-fs (loop3): Invalid log blocks per segment (0) [ 737.092991][T14761] [ 737.103076][T14761] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:06 executing program 4: perf_event_open(&(0x7f0000000500)={0x2, 0x70, 0x71, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = open(&(0x7f0000000280)='.\x00', 0x0, 0x0) getdents64(r0, &(0x7f0000000000)=""/240, 0xf0) 08:36:06 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r2 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r2, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) [ 737.321347][T14774] binder: 14772:14774 got transaction with invalid data ptr [ 737.352741][T14774] binder: 14772:14774 transaction failed 29201/-14, size 84-0 line 3180 08:36:06 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(0xffffffffffffffff, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:06 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c", 0x11, 0x1400}], 0x0, 0x0) 08:36:06 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x13, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="11634840000000000000000000000200000000"], 0x0, 0x0, 0x0}) 08:36:06 executing program 2: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c00000009", 0x15, 0x1400}], 0x0, 0x0) 08:36:06 executing program 4: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000340)='./file0\x00', 0x0, 0x1, &(0x7f0000000000)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c0000000900000001000000020000000000000000300000000000000e00000016000000020000000200000002000000020000000e000000000400000004000000080000000c000000100000001400000300000001", 0x65, 0x1400}], 0x0, 0x0) 08:36:06 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) setsockopt$packet_int(0xffffffffffffffff, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) [ 737.718631][T14797] binder: 14789:14797 transaction failed 29189/-22, size 0-0 line 2995 [ 737.729095][T14791] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 737.746888][T14790] F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 737.754959][T14794] F2FS-fs (loop2): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 737.768058][ T17] binder_release_work: 3 callbacks suppressed [ 737.768067][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 737.777684][T14790] F2FS-fs (loop4): Can't find valid F2FS filesystem in 1th superblock [ 737.795930][T14794] F2FS-fs (loop2): Can't find valid F2FS filesystem in 1th superblock [ 737.804432][T14791] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock 08:36:06 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) setsockopt$packet_int(0xffffffffffffffff, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) [ 737.818980][T14790] F2FS-fs (loop4): Invalid Fs Meta Ino: node(1) meta(0) root(3) [ 737.825428][T14794] F2FS-fs (loop2): Invalid segment count (0) [ 737.836050][T14790] F2FS-fs (loop4): Can't find valid F2FS filesystem in 2th superblock [ 737.840610][T14791] F2FS-fs (loop3): Invalid log blocks per segment (0) [ 737.840610][T14791] [ 737.857374][T14794] F2FS-fs (loop2): Can't find valid F2FS filesystem in 2th superblock 08:36:06 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x13, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="11634840000000000000000000000200000000"], 0x0, 0x0, 0x0}) [ 737.889558][T14791] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:06 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) setsockopt$packet_int(0xffffffffffffffff, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) 08:36:06 executing program 2: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c00000009", 0x15, 0x1400}], 0x0, 0x0) [ 738.058825][T14790] F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 738.099565][T14790] F2FS-fs (loop4): Can't find valid F2FS filesystem in 1th superblock [ 738.113437][T14815] binder: 14810:14815 transaction failed 29189/-22, size 0-0 line 2995 08:36:07 executing program 3: syz_mount_image$f2fs(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c", 0x11, 0x1400}], 0x0, 0x0) 08:36:07 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r2, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) [ 738.159040][T14790] F2FS-fs (loop4): Invalid Fs Meta Ino: node(1) meta(0) root(3) [ 738.182181][T14790] F2FS-fs (loop4): Can't find valid F2FS filesystem in 2th superblock [ 738.188111][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 738.191822][T14819] F2FS-fs (loop2): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 738.262405][T14819] F2FS-fs (loop2): Can't find valid F2FS filesystem in 1th superblock [ 738.279577][T14819] F2FS-fs (loop2): Invalid segment count (0) [ 738.318119][T14819] F2FS-fs (loop2): Can't find valid F2FS filesystem in 2th superblock 08:36:07 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(0xffffffffffffffff, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:07 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x13, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="11634840000000000000000000000200000000"], 0x0, 0x0, 0x0}) 08:36:07 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) r2 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r2, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) 08:36:07 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:07 executing program 3: syz_mount_image$f2fs(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c", 0x11, 0x1400}], 0x0, 0x0) 08:36:07 executing program 2: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) sendto$inet6(r0, 0x0, 0x0, 0x20000008, &(0x7f00008d4fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) fcntl$getflags(0xffffffffffffffff, 0x0) r2 = open(&(0x7f0000002000)='./bus\x00', 0x141042, 0x0) r3 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r3, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) ioctl$sock_inet_SIOCSIFBRDADDR(r0, 0x891a, &(0x7f00000004c0)={'hsr0\x00', {0x2, 0x4e23, @rand_addr=0x1}}) openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x101000, 0x0) ioctl$sock_SIOCGPGRP(r2, 0x8904, &(0x7f0000000080)) [ 738.728430][T14846] binder: 14839:14846 transaction failed 29189/-22, size 0-0 line 2995 08:36:07 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:07 executing program 3: syz_mount_image$f2fs(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c", 0x11, 0x1400}], 0x0, 0x0) [ 738.779093][T14851] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 738.801979][ T17] binder: undelivered TRANSACTION_ERROR: 29189 08:36:07 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) readahead(0xffffffffffffffff, 0x0, 0x0) r2 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r2, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) 08:36:07 executing program 2: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(0xffffffffffffffff, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:07 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad"], 0x0, 0x0, 0x0}) 08:36:08 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 739.059824][T14871] binder: 14870:14871 transaction failed 29189/-22, size 0-0 line 2995 [ 739.123137][T13002] binder: undelivered TRANSACTION_ERROR: 29189 08:36:08 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(0xffffffffffffffff, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:08 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) setsockopt$sock_timeval(r0, 0x1, 0x15, &(0x7f0000000400)={0x0, 0x7530}, 0xfffffffffffffe9d) r2 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r2, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) 08:36:08 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', 0x0, 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c", 0x11, 0x1400}], 0x0, 0x0) 08:36:08 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:08 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad"], 0x0, 0x0, 0x0}) 08:36:08 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x2000)=nil, 0x2000, 0x100, 0x20011, r0, 0x0) r2 = dup3(r0, r1, 0x80000) setsockopt$l2tp_PPPOL2TP_SO_LNSMODE(r2, 0x111, 0x4, 0x1, 0x4) ioctl$SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT(r2, 0x40505331, &(0x7f0000000080)={{0x80, 0x8001}, {0x10000, 0x800}, 0x7, 0x5, 0x5}) sendmsg$nl_route_sched(r2, &(0x7f0000000140)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1050021}, 0xc, &(0x7f0000000100)={&(0x7f0000000240)=ANY=[@ANYBLOB="58020000310000092cbd7000fddbdf250000000068000100100017000000080003000300000000001400160000000c0001006d697272656400000000100009000000080003000100008000001000090000000800030000000000000010001200000008000100696665000000100012000000080001006966650000006c000100100005000000080003000400000000001400050000000c000100736b626d6f64000000001000050000000800010062706600000014000b0000000c0001006761637400000000000010001a0040000800030008000000000010001b00000008000300070000000000580001001400130000000c000100736b626564697400000010000d000000080003000200000000001000060000000800030006000000000010001e0000000800030008000000000010000a0000000800010069707400005e6e71cd91db9914000000080003007130000000001000110000000800030001800000000014000f0000000c00010073616d706c65000000001400110000000c0001006d6972726564000000001000110000000800030004000000000010001b0000000800030000100000000010001700000008000100627066000000100009000000080003000600000000001000110000000800030040000000000010001100000008000300d6e20000000028000100100009000000080003000700000000001400010000000c000100736b626d6f6400000000440001001400120000000c000100706f6c696365000000001400190000000c0001006d69727265640000000018001900000010000100636f6e6e6d61726b000000000000"], 0x258}, 0x1, 0x0, 0x0, 0x20000000}, 0x1) ioctl$UI_SET_PROPBIT(r2, 0x4004556e, 0x6) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000041f00363a46dd7acf711a4da0a599f000200000000000000"], 0x0, 0x0, 0x0}) [ 739.772678][T14895] binder: 14888:14895 transaction failed 29189/-22, size 0-0 line 2995 [ 739.802920][T14898] binder: 14897:14898 ioctl 40505331 20000080 returned -22 08:36:08 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', 0x0, 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c", 0x11, 0x1400}], 0x0, 0x0) 08:36:08 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) r1 = dup(r0) bind$inet6(r1, &(0x7f0000000100)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) r2 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r2, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) 08:36:08 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") writev(0xffffffffffffffff, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 739.834392][T14898] binder: 14897:14898 ioctl 4004556e 6 returned -22 [ 739.840569][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 739.914594][T14898] binder: 14897:14898 got transaction to context manager from process owning it 08:36:08 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x1c, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad"], 0x0, 0x0, 0x0}) [ 739.956201][T14898] binder: 14897:14898 transaction failed 29201/-22, size 0-0 line 2986 08:36:08 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") writev(0xffffffffffffffff, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:08 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', 0x0, 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c", 0x11, 0x1400}], 0x0, 0x0) [ 740.040790][T14912] binder_alloc: 14897: binder_alloc_buf size 5740120 failed, no address space [ 740.067375][T14912] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192) [ 740.086335][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 740.095342][T14912] binder: 14911:14912 transaction failed 29201/-28, size 0-0 line 3148 [ 740.127570][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:09 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, 0x0) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:09 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0) 08:36:09 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x2000)=nil, 0x2000, 0x100, 0x20011, r0, 0x0) r2 = dup3(r0, r1, 0x80000) setsockopt$l2tp_PPPOL2TP_SO_LNSMODE(r2, 0x111, 0x4, 0x1, 0x4) ioctl$SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT(r2, 0x40505331, &(0x7f0000000080)={{0x80, 0x8001}, {0x10000, 0x800}, 0x7, 0x5, 0x5}) sendmsg$nl_route_sched(r2, &(0x7f0000000140)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1050021}, 0xc, &(0x7f0000000100)={&(0x7f0000000240)=ANY=[@ANYBLOB="58020000310000092cbd7000fddbdf250000000068000100100017000000080003000300000000001400160000000c0001006d697272656400000000100009000000080003000100008000001000090000000800030000000000000010001200000008000100696665000000100012000000080001006966650000006c000100100005000000080003000400000000001400050000000c000100736b626d6f64000000001000050000000800010062706600000014000b0000000c0001006761637400000000000010001a0040000800030008000000000010001b00000008000300070000000000580001001400130000000c000100736b626564697400000010000d000000080003000200000000001000060000000800030006000000000010001e0000000800030008000000000010000a0000000800010069707400005e6e71cd91db9914000000080003007130000000001000110000000800030001800000000014000f0000000c00010073616d706c65000000001400110000000c0001006d6972726564000000001000110000000800030004000000000010001b0000000800030000100000000010001700000008000100627066000000100009000000080003000600000000001000110000000800030040000000000010001100000008000300d6e20000000028000100100009000000080003000700000000001400010000000c000100736b626d6f6400000000440001001400120000000c000100706f6c696365000000001400190000000c0001006d69727265640000000018001900000010000100636f6e6e6d61726b000000000000"], 0x258}, 0x1, 0x0, 0x0, 0x20000000}, 0x1) ioctl$UI_SET_PROPBIT(r2, 0x4004556e, 0x6) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000041f00363a46dd7acf711a4da0a599f000200000000000000"], 0x0, 0x0, 0x0}) 08:36:09 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$inet6(0xa, 0x400000000001, 0x0) dup(r0) r1 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r1, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) 08:36:09 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") writev(0xffffffffffffffff, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:09 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x13, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="11634840000000000000000000000200000000"], 0x0, 0x0, 0x0}) [ 740.519311][T14933] binder: 14932:14933 ioctl 40505331 20000080 returned -22 [ 740.535065][T13002] binder: undelivered TRANSACTION_ERROR: 29189 [ 740.540238][T14933] binder: 14932:14933 ioctl 4004556e 6 returned -22 08:36:09 executing program 4: socket$inet_udplite(0x2, 0x2, 0x88) r0 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r0, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 740.568402][T14939] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 740.603117][T14933] binder: 14932:14933 got transaction to context manager from process owning it 08:36:09 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') socket$inet6(0xa, 0x400000000001, 0x0) r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) [ 740.607759][T14939] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock 08:36:09 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x13, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="11634840000000000000000000000200000000"], 0x0, 0x0, 0x0}) [ 740.669476][T14939] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 740.693981][T14939] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:09 executing program 4: socket$inet_udplite(0x2, 0x2, 0x88) r0 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r0, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:09 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x2000)=nil, 0x2000, 0x100, 0x20011, r0, 0x0) r2 = dup3(r0, r1, 0x80000) setsockopt$l2tp_PPPOL2TP_SO_LNSMODE(r2, 0x111, 0x4, 0x1, 0x4) ioctl$SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT(r2, 0x40505331, &(0x7f0000000080)={{0x80, 0x8001}, {0x10000, 0x800}, 0x7, 0x5, 0x5}) sendmsg$nl_route_sched(r2, &(0x7f0000000140)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1050021}, 0xc, &(0x7f0000000100)={&(0x7f0000000240)=ANY=[@ANYBLOB="58020000310000092cbd7000fddbdf250000000068000100100017000000080003000300000000001400160000000c0001006d697272656400000000100009000000080003000100008000001000090000000800030000000000000010001200000008000100696665000000100012000000080001006966650000006c000100100005000000080003000400000000001400050000000c000100736b626d6f64000000001000050000000800010062706600000014000b0000000c0001006761637400000000000010001a0040000800030008000000000010001b00000008000300070000000000580001001400130000000c000100736b626564697400000010000d000000080003000200000000001000060000000800030006000000000010001e0000000800030008000000000010000a0000000800010069707400005e6e71cd91db9914000000080003007130000000001000110000000800030001800000000014000f0000000c00010073616d706c65000000001400110000000c0001006d6972726564000000001000110000000800030004000000000010001b0000000800030000100000000010001700000008000100627066000000100009000000080003000600000000001000110000000800030040000000000010001100000008000300d6e20000000028000100100009000000080003000700000000001400010000000c000100736b626d6f6400000000440001001400120000000c000100706f6c696365000000001400190000000c0001006d69727265640000000018001900000010000100636f6e6e6d61726b000000000000"], 0x258}, 0x1, 0x0, 0x0, 0x20000000}, 0x1) ioctl$UI_SET_PROPBIT(r2, 0x4004556e, 0x6) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000041f00363a46dd7acf711a4da0a599f000200000000000000"], 0x0, 0x0, 0x0}) [ 740.720507][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:09 executing program 5: syz_open_procfs(0x0, &(0x7f0000000340)='net/ip6_flowlabel\x00n\xc01\x14\x894X\xed\xc1\xc9\xd8\xdcK\r\x8d\xae\x98&@\xd0\xe6\xbbQ\xd7\xffYn\x1c\x92\xde\x0e\xaa1\x91\x98\xe9\x1f\nMCi|+\xcdw\xf0\x176Z\xf1`\xac\xf3;\xd6d2\xeb\xe5\f\x0e\x8b\xda\xf7\xfc9\xfe\xff4\xef\'\xa19q\x93\"\x7fG3\xc1E\xe6e6\xc6\xc2u\x11% \xe7+0\x97\x84;\\\xda\xc4\x80\xc3\xb18N\xbfY%\x05\xf8\x85\x89\xfc\xd2\xd7') r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) [ 740.823239][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 740.835872][T14958] binder: 14954:14958 ioctl 40505331 20000080 returned -22 [ 740.902774][T14958] binder: 14954:14958 ioctl 4004556e 6 returned -22 [ 740.959216][T14963] binder: 14954:14963 got transaction to context manager from process owning it 08:36:10 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, 0x0) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:10 executing program 4: socket$inet_udplite(0x2, 0x2, 0x88) r0 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r0, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:10 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0) 08:36:10 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x13, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="11634840000000000000000000000200000000"], 0x0, 0x0, 0x0}) 08:36:10 executing program 5: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) 08:36:10 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x2000)=nil, 0x2000, 0x100, 0x20011, r0, 0x0) r2 = dup3(r0, r1, 0x80000) setsockopt$l2tp_PPPOL2TP_SO_LNSMODE(r2, 0x111, 0x4, 0x1, 0x4) ioctl$SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT(r2, 0x40505331, &(0x7f0000000080)={{0x80, 0x8001}, {0x10000, 0x800}, 0x7, 0x5, 0x5}) sendmsg$nl_route_sched(r2, &(0x7f0000000140)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1050021}, 0xc, &(0x7f0000000100)={&(0x7f0000000240)=ANY=[@ANYBLOB="58020000310000092cbd7000fddbdf250000000068000100100017000000080003000300000000001400160000000c0001006d697272656400000000100009000000080003000100008000001000090000000800030000000000000010001200000008000100696665000000100012000000080001006966650000006c000100100005000000080003000400000000001400050000000c000100736b626d6f64000000001000050000000800010062706600000014000b0000000c0001006761637400000000000010001a0040000800030008000000000010001b00000008000300070000000000580001001400130000000c000100736b626564697400000010000d000000080003000200000000001000060000000800030006000000000010001e0000000800030008000000000010000a0000000800010069707400005e6e71cd91db9914000000080003007130000000001000110000000800030001800000000014000f0000000c00010073616d706c65000000001400110000000c0001006d6972726564000000001000110000000800030004000000000010001b0000000800030000100000000010001700000008000100627066000000100009000000080003000600000000001000110000000800030040000000000010001100000008000300d6e20000000028000100100009000000080003000700000000001400010000000c000100736b626d6f6400000000440001001400120000000c000100706f6c696365000000001400190000000c0001006d69727265640000000018001900000010000100636f6e6e6d61726b000000000000"], 0x258}, 0x1, 0x0, 0x0, 0x20000000}, 0x1) ioctl$UI_SET_PROPBIT(r2, 0x4004556e, 0x6) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) 08:36:10 executing program 4: ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r0 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r0, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 741.345890][T14981] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 741.353975][T14979] binder: 14977:14979 ioctl 40505331 20000080 returned -22 [ 741.369847][T14981] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 741.379580][T14979] binder: 14977:14979 ioctl 4004556e 6 returned -22 08:36:10 executing program 5: r0 = socket$packet(0x11, 0x0, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) [ 741.402013][T14981] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) 08:36:10 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x2000)=nil, 0x2000, 0x100, 0x20011, r0, 0x0) r2 = dup3(r0, r1, 0x80000) setsockopt$l2tp_PPPOL2TP_SO_LNSMODE(r2, 0x111, 0x4, 0x1, 0x4) ioctl$SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT(r2, 0x40505331, &(0x7f0000000080)={{0x80, 0x8001}, {0x10000, 0x800}, 0x7, 0x5, 0x5}) sendmsg$nl_route_sched(r2, &(0x7f0000000140)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1050021}, 0xc, &(0x7f0000000100)={&(0x7f0000000240)=ANY=[@ANYBLOB="58020000310000092cbd7000fddbdf250000000068000100100017000000080003000300000000001400160000000c0001006d697272656400000000100009000000080003000100008000001000090000000800030000000000000010001200000008000100696665000000100012000000080001006966650000006c000100100005000000080003000400000000001400050000000c000100736b626d6f64000000001000050000000800010062706600000014000b0000000c0001006761637400000000000010001a0040000800030008000000000010001b00000008000300070000000000580001001400130000000c000100736b626564697400000010000d000000080003000200000000001000060000000800030006000000000010001e0000000800030008000000000010000a0000000800010069707400005e6e71cd91db9914000000080003007130000000001000110000000800030001800000000014000f0000000c00010073616d706c65000000001400110000000c0001006d6972726564000000001000110000000800030004000000000010001b0000000800030000100000000010001700000008000100627066000000100009000000080003000600000000001000110000000800030040000000000010001100000008000300d6e20000000028000100100009000000080003000700000000001400010000000c000100736b626d6f6400000000440001001400120000000c000100706f6c696365000000001400190000000c0001006d69727265640000000018001900000010000100636f6e6e6d61726b000000000000"], 0x258}, 0x1, 0x0, 0x0, 0x20000000}, 0x1) ioctl$UI_SET_PROPBIT(r2, 0x4004556e, 0x6) [ 741.442997][T14981] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:10 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x18, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d00"], 0x0, 0x0, 0x0}) 08:36:10 executing program 5: r0 = socket$packet(0x11, 0x0, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) 08:36:10 executing program 4: ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r0 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r0, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 741.597850][T14997] binder: 14994:14997 ioctl 40505331 20000080 returned -22 [ 741.626952][T14997] binder: 14994:14997 ioctl 4004556e 6 returned -22 08:36:11 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, 0x0) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:11 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0) 08:36:11 executing program 4: ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r0 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r0, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:11 executing program 5: r0 = socket$packet(0x11, 0x0, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) 08:36:11 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x18, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d00"], 0x0, 0x0, 0x0}) 08:36:11 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x2000)=nil, 0x2000, 0x100, 0x20011, r0, 0x0) r2 = dup3(r0, r1, 0x80000) setsockopt$l2tp_PPPOL2TP_SO_LNSMODE(r2, 0x111, 0x4, 0x1, 0x4) ioctl$SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT(r2, 0x40505331, &(0x7f0000000080)={{0x80, 0x8001}, {0x10000, 0x800}, 0x7, 0x5, 0x5}) sendmsg$nl_route_sched(r2, &(0x7f0000000140)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1050021}, 0xc, &(0x7f0000000100)={&(0x7f0000000240)=ANY=[@ANYBLOB="58020000310000092cbd7000fddbdf250000000068000100100017000000080003000300000000001400160000000c0001006d697272656400000000100009000000080003000100008000001000090000000800030000000000000010001200000008000100696665000000100012000000080001006966650000006c000100100005000000080003000400000000001400050000000c000100736b626d6f64000000001000050000000800010062706600000014000b0000000c0001006761637400000000000010001a0040000800030008000000000010001b00000008000300070000000000580001001400130000000c000100736b626564697400000010000d000000080003000200000000001000060000000800030006000000000010001e0000000800030008000000000010000a0000000800010069707400005e6e71cd91db9914000000080003007130000000001000110000000800030001800000000014000f0000000c00010073616d706c65000000001400110000000c0001006d6972726564000000001000110000000800030004000000000010001b0000000800030000100000000010001700000008000100627066000000100009000000080003000600000000001000110000000800030040000000000010001100000008000300d6e20000000028000100100009000000080003000700000000001400010000000c000100736b626d6f6400000000440001001400120000000c000100706f6c696365000000001400190000000c0001006d69727265640000000018001900000010000100636f6e6e6d61726b000000000000"], 0x258}, 0x1, 0x0, 0x0, 0x20000000}, 0x1) [ 742.144223][T15018] binder: 15017:15018 ioctl 40505331 20000080 returned -22 [ 742.151189][T15021] binder_transaction: 6 callbacks suppressed [ 742.151206][T15021] binder: 15016:15021 transaction failed 29189/-22, size 0-0 line 2995 08:36:11 executing program 5: socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(0xffffffffffffffff, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) 08:36:11 executing program 4: socket$inet_udplite(0x2, 0x2, 0x88) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r0 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r0, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 742.192272][T15020] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) 08:36:11 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x2000)=nil, 0x2000, 0x100, 0x20011, r0, 0x0) r2 = dup3(r0, r1, 0x80000) setsockopt$l2tp_PPPOL2TP_SO_LNSMODE(r2, 0x111, 0x4, 0x1, 0x4) ioctl$SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT(r2, 0x40505331, &(0x7f0000000080)={{0x80, 0x8001}, {0x10000, 0x800}, 0x7, 0x5, 0x5}) [ 742.266825][T15020] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock 08:36:11 executing program 5: socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(0xffffffffffffffff, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) 08:36:11 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x18, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d00"], 0x0, 0x0, 0x0}) [ 742.337869][T15033] binder: 15032:15033 ioctl 40505331 20000080 returned -22 [ 742.367846][T15020] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) 08:36:11 executing program 4: socket$inet_udplite(0x2, 0x2, 0x88) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r0 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r0, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 742.395307][T15020] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock [ 742.483557][T15041] binder: 15039:15041 transaction failed 29189/-22, size 0-0 line 2995 08:36:11 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:11 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x2000)=nil, 0x2000, 0x100, 0x20011, r0, 0x0) r2 = dup3(r0, r1, 0x80000) setsockopt$l2tp_PPPOL2TP_SO_LNSMODE(r2, 0x111, 0x4, 0x1, 0x4) 08:36:11 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x0, &(0x7f0000000200), 0x0, 0x0) 08:36:11 executing program 5: socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(0xffffffffffffffff, 0x107, 0x800000000007, &(0x7f0000000000)=0x2, 0x4) 08:36:11 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x1a, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000"], 0x0, 0x0, 0x0}) 08:36:11 executing program 4: socket$inet_udplite(0x2, 0x2, 0x88) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r0 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r0, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 742.920847][T15055] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 742.928643][T15055] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 742.930193][T15060] binder: 15057:15060 transaction failed 29189/-22, size 0-0 line 2995 08:36:11 executing program 5: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x0, &(0x7f0000000000)=0x2, 0x4) 08:36:11 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) mmap(&(0x7f0000ff9000/0x2000)=nil, 0x2000, 0x100, 0x20011, r0, 0x0) dup3(r0, r1, 0x80000) 08:36:11 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x0, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 742.994727][T15055] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 743.007458][T15055] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock [ 743.059986][T13002] binder_release_work: 5 callbacks suppressed [ 743.059994][T13002] binder: undelivered TRANSACTION_ERROR: 29189 08:36:12 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x0, &(0x7f0000000200), 0x0, 0x0) 08:36:12 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x1a, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000"], 0x0, 0x0, 0x0}) 08:36:12 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x0, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 743.263802][T15078] binder: 15077:15078 transaction failed 29189/-22, size 0-0 line 2995 [ 743.302172][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 743.344716][T15081] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 743.377819][T15081] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 743.393013][T15081] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 743.405459][T15081] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:12 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:12 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) dup3(r0, r1, 0x80000) 08:36:12 executing program 5: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x0, &(0x7f0000000000)=0x2, 0x4) 08:36:12 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x0, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:12 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x1a, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000"], 0x0, 0x0, 0x0}) 08:36:12 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x0, &(0x7f0000000200), 0x0, 0x0) 08:36:12 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) dup3(r0, 0xffffffffffffffff, 0x80000) [ 743.770722][T15102] binder: 15100:15102 transaction failed 29189/-22, size 0-0 line 2995 [ 743.800147][T15104] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) 08:36:12 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, 0x0) r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:12 executing program 5: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x0, &(0x7f0000000000)=0x2, 0x4) [ 743.823876][T15104] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 743.833711][ T17] binder: undelivered TRANSACTION_ERROR: 29189 08:36:12 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x1b, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1"], 0x0, 0x0, 0x0}) [ 743.889111][T15104] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) 08:36:12 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) dup3(r0, 0xffffffffffffffff, 0x80000) [ 743.938632][T15104] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:12 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, 0x0) r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 744.007671][T15120] binder: 15119:15120 transaction failed 29189/-22, size 0-0 line 2995 [ 744.075072][ T17] binder: undelivered TRANSACTION_ERROR: 29189 08:36:13 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:13 executing program 5: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, 0x0, 0x0) 08:36:13 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x1b, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1"], 0x0, 0x0, 0x0}) 08:36:13 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{0x0, 0x0, 0x1400}], 0x0, 0x0) 08:36:13 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) dup3(r0, 0xffffffffffffffff, 0x80000) 08:36:13 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, 0x0) r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 744.540404][T15144] binder: 15139:15144 transaction failed 29189/-22, size 0-0 line 2995 [ 744.570247][T13002] binder: undelivered TRANSACTION_ERROR: 29189 [ 744.576567][T15145] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) 08:36:13 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)) r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:13 executing program 5: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, 0x0, 0x0) [ 744.598883][T15145] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 744.609235][T15145] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) 08:36:13 executing program 2: r0 = syz_open_dev$binder(0x0, 0x0, 0x0) dup3(0xffffffffffffffff, r0, 0x80000) 08:36:13 executing program 0: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed569657"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x0, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x1b, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1"], 0x0, 0x0, 0x0}) [ 744.678809][T15145] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:13 executing program 5: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, 0x0, 0x0) 08:36:13 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{0x0, 0x0, 0x1400}], 0x0, 0x0) [ 744.830697][T15162] binder: 15159:15162 transaction failed 29189/-22, size 0-0 line 2995 [ 744.942495][T15169] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 744.958302][T13002] binder: undelivered TRANSACTION_ERROR: 29189 [ 744.976042][T15169] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 744.993552][T15169] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 745.010067][T15169] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:14 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(0xffffffffffffffff, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:14 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)) r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:14 executing program 5: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, &(0x7f0000000000), 0x4) 08:36:14 executing program 2: r0 = syz_open_dev$binder(0x0, 0x0, 0x0) dup3(0xffffffffffffffff, r0, 0x80000) 08:36:14 executing program 0: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, 0x0, 0x0) 08:36:14 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{0x0, 0x0, 0x1400}], 0x0, 0x0) 08:36:14 executing program 2: r0 = syz_open_dev$binder(0x0, 0x0, 0x0) dup3(0xffffffffffffffff, r0, 0x80000) 08:36:14 executing program 0: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, 0x0, 0x0) [ 745.443482][T15187] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 745.452518][T15187] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 745.461496][T15187] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 745.470007][T15187] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:14 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)) r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:14 executing program 5: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, 0x0) r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:14 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0), 0x0, 0x1400}], 0x0, 0x0) 08:36:14 executing program 0: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, 0x0, 0x0) [ 745.831793][T15215] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 745.858523][T15215] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 745.878787][T15215] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 745.887770][T15215] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:15 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(0xffffffffffffffff, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:15 executing program 2: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) dup3(r0, r1, 0x80000) 08:36:15 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c12") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:15 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:15 executing program 0: setsockopt$packet_int(0xffffffffffffffff, 0x107, 0x800000000007, 0x0, 0x0) 08:36:15 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0), 0x0, 0x1400}], 0x0, 0x0) 08:36:15 executing program 2: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) dup3(r0, r1, 0x80000) 08:36:15 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c12") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:15 executing program 0: setsockopt$packet_int(0xffffffffffffffff, 0x107, 0x800000000007, 0x0, 0x0) [ 746.294003][T15234] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 746.398789][T15234] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 746.434424][T15234] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) 08:36:15 executing program 2: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0x0, 0x0) dup3(r0, r1, 0x80000) [ 746.484779][T15234] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:15 executing program 0: setsockopt$packet_int(0xffffffffffffffff, 0x107, 0x800000000007, 0x0, 0x0) 08:36:15 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c12") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:16 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(0xffffffffffffffff, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:16 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) dup3(r0, r1, 0x80000) 08:36:16 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0), 0x0, 0x1400}], 0x0, 0x0) 08:36:16 executing program 0: r0 = socket$packet(0x11, 0x0, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, 0x0, 0x0) 08:36:16 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319b") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:16 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, 0x0) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:16 executing program 0: r0 = socket$packet(0x11, 0x0, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, 0x0, 0x0) 08:36:16 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) dup3(0xffffffffffffffff, r0, 0x80000) [ 747.342598][T15277] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 747.369279][T15277] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock 08:36:16 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319b") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 747.458889][T15277] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) 08:36:16 executing program 0: r0 = socket$packet(0x11, 0x0, 0x300) setsockopt$packet_int(r0, 0x107, 0x800000000007, 0x0, 0x0) 08:36:16 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) dup3(0xffffffffffffffff, r0, 0x80000) [ 747.532722][T15277] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:16 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319b") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:16 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x0, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:16 executing program 0: socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(0xffffffffffffffff, 0x107, 0x800000000007, 0x0, 0x0) 08:36:16 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009", 0x9, 0x1400}], 0x0, 0x0) 08:36:16 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) dup3(0xffffffffffffffff, r0, 0x80000) 08:36:16 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd0") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 748.032450][T15313] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 748.108777][T15313] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 748.132838][T15313] F2FS-fs (loop3): Invalid blocksize (1), supports only 4KB [ 748.132838][T15313] [ 748.178960][T15313] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:17 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, 0x0) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:17 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) dup3(r0, 0xffffffffffffffff, 0x80000) 08:36:17 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd0") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:17 executing program 0: socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(0xffffffffffffffff, 0x107, 0x800000000007, 0x0, 0x0) 08:36:17 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009", 0x9, 0x1400}], 0x0, 0x0) 08:36:17 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd0") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:17 executing program 0: socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(0xffffffffffffffff, 0x107, 0x800000000007, 0x0, 0x0) [ 748.378602][T15338] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 748.394381][T15338] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 748.464441][T15338] F2FS-fs (loop3): Invalid blocksize (1), supports only 4KB [ 748.464441][T15338] [ 748.528489][T15338] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:17 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x0, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:17 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x0) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:17 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) dup3(r0, 0xffffffffffffffff, 0x80000) 08:36:17 executing program 0: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x0, 0x0, 0x0) 08:36:17 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009", 0x9, 0x1400}], 0x0, 0x0) [ 748.984556][T15363] netlink: 64 bytes leftover after parsing attributes in process `syz-executor.4'. [ 749.019302][T15364] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 749.033479][T15364] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 749.088447][T15364] F2FS-fs (loop3): Invalid blocksize (1), supports only 4KB [ 749.088447][T15364] [ 749.125956][T15364] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:18 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, 0x0) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:18 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) dup3(r0, 0xffffffffffffffff, 0x80000) 08:36:18 executing program 0: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x0, 0x0, 0x0) 08:36:18 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x0) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:18 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f2010007000900000003", 0xd, 0x1400}], 0x0, 0x0) [ 749.432234][T15381] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 749.461473][T15379] netlink: 64 bytes leftover after parsing attributes in process `syz-executor.4'. 08:36:18 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) dup3(r0, r1, 0x0) 08:36:18 executing program 0: r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r0, 0x107, 0x0, 0x0, 0x0) [ 749.488838][T15381] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 749.517450][T15381] F2FS-fs (loop3): Invalid blocksize (1), supports only 4KB [ 749.517450][T15381] [ 749.620873][T15381] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:19 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x0, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:19 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) dup3(r0, r1, 0x0) 08:36:19 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x0) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:19 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x0) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:19 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f2010007000900000003", 0xd, 0x1400}], 0x0, 0x0) [ 750.129844][T15402] netlink: 64 bytes leftover after parsing attributes in process `syz-executor.4'. [ 750.158589][T15408] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 750.227806][T15408] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 750.268871][T15408] F2FS-fs (loop3): Invalid blocksize (1), supports only 4KB [ 750.268871][T15408] 08:36:19 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r2, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r2, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r3, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) r4 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r2, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r4, 0x300, 0x70bd28, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x80000001}}, ["", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x4008041) setsockopt$RXRPC_SECURITY_KEY(r2, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000280)=ANY=[@ANYBLOB="1163484000000000000000ff7f00020000000000000000000000dd8651ad81a1ad0e29bf54bebc70823e633a6039853876f184e8134057917db1aae4f67a09d8a69d182d350f9d40d144ab8ff14e81bee155255cc363805d9ab603412c30288ddc4b17fdae326da7688b75fe2c4fe372af8368b3b9fef2994f8da32a898fe437adc821e1920cfdafca315a10967cdc04401d2f579f2122319ab4269398add6b90861e28c5afd6f059665d74395c55a56c9647f783417035ec24b82dc557e366dbc883b7bd6098e82d17916fad5293f5a8894f528e6a123976c20f519c42e6a6b5cd71b803affc6099bbf0000000001000000"], 0x0, 0x0, 0x0}) 08:36:19 executing program 2: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:19 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") socket$netlink(0x10, 0x3, 0x8000000004) writev(0xffffffffffffffff, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:19 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x0) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 750.361270][T15408] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:19 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") socket$netlink(0x10, 0x3, 0x8000000004) writev(0xffffffffffffffff, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) 08:36:19 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f2010007000900000003", 0xd, 0x1400}], 0x0, 0x0) 08:36:19 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") socket$netlink(0x10, 0x3, 0x8000000004) writev(0xffffffffffffffff, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fcff", 0x58}], 0x1) [ 750.655664][T15533] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 750.685038][T15533] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 750.749299][T15533] F2FS-fs (loop3): Invalid blocksize (1), supports only 4KB [ 750.749299][T15533] [ 750.790103][T15533] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock [ 750.910482][T15643] binder: 15642:15643 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 750.946725][T15643] binder: 15642:15643 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 750.990495][T15643] binder: 15642:15643 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 751.028873][T15643] binder: 15642:15643 got transaction to invalid handle [ 751.049108][T15643] binder: 15642:15643 transaction failed 29201/-22, size 0-40 line 2995 [ 751.109898][T15643] binder: 15642:15643 transaction failed 29201/-22, size 4207275206852263508--1691962069927773856 line 3148 [ 751.147236][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 751.189175][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:20 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(0x0, r2, 0x6, r1, 0xb) 08:36:20 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, 0x0, 0x0) 08:36:20 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x0) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:20 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000", 0xf, 0x1400}], 0x0, 0x0) 08:36:20 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r2, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r2, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r3, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) r4 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r2, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r4, 0x300, 0x70bd28, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x80000001}}, ["", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x4008041) setsockopt$RXRPC_SECURITY_KEY(r2, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000280)=ANY=[@ANYBLOB="1163484000000000000000ff7f00020000000000000000000000dd8651ad81a1ad0e29bf54bebc70823e633a6039853876f184e8134057917db1aae4f67a09d8a69d182d350f9d40d144ab8ff14e81bee155255cc363805d9ab603412c30288ddc4b17fdae326da7688b75fe2c4fe372af8368b3b9fef2994f8da32a898fe437adc821e1920cfdafca315a10967cdc04401d2f579f2122319ab4269398add6b90861e28c5afd6f059665d74395c55a56c9647f783417035ec24b82dc557e366dbc883b7bd6098e82d17916fad5293f5a8894f528e6a123976c20f519c42e6a6b5cd71b803affc6099bbf0000000001000000"], 0x0, 0x0, 0x0}) 08:36:20 executing program 2: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 751.413741][T15649] binder: 15648:15649 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 751.438170][T15652] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) 08:36:20 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, 0x0, 0x0) [ 751.469399][T15649] binder: 15648:15649 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 751.483081][T15652] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 751.523293][T15652] F2FS-fs (loop3): Invalid blocksize (1), supports only 4KB [ 751.523293][T15652] [ 751.539225][T15657] binder: 15648:15657 transaction failed 29201/-22, size 4207275206852263508--1691962069927773856 line 3148 [ 751.568962][T15652] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock [ 751.578989][T15649] binder: 15648:15649 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 751.599619][T15649] binder: 15648:15649 got transaction to invalid handle [ 751.620669][T15649] binder: 15648:15649 transaction failed 29201/-22, size 0-40 line 2995 08:36:20 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, 0x0, 0x0) 08:36:20 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000", 0xf, 0x1400}], 0x0, 0x0) [ 751.725611][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:20 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r2, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r2, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r3, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) r4 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r2, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r4, 0x300, 0x70bd28, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x80000001}}, ["", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x4008041) setsockopt$RXRPC_SECURITY_KEY(r2, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000280)=ANY=[@ANYBLOB="1163484000000000000000ff7f00020000000000000000000000dd8651ad81a1ad0e29bf54bebc70823e633a6039853876f184e8134057917db1aae4f67a09d8a69d182d350f9d40d144ab8ff14e81bee155255cc363805d9ab603412c30288ddc4b17fdae326da7688b75fe2c4fe372af8368b3b9fef2994f8da32a898fe437adc821e1920cfdafca315a10967cdc04401d2f579f2122319ab4269398add6b90861e28c5afd6f059665d74395c55a56c9647f783417035ec24b82dc557e366dbc883b7bd6098e82d17916fad5293f5a8894f528e6a123976c20f519c42e6a6b5cd71b803affc6099bbf0000000001000000"], 0x0, 0x0, 0x0}) [ 751.831829][T15726] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 751.837482][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:20 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200), 0x0) [ 751.892826][T15726] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 751.931436][T15726] F2FS-fs (loop3): Invalid blocksize (1), supports only 4KB [ 751.931436][T15726] [ 751.961782][T15726] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:20 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 752.005428][T15783] binder: 15778:15783 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 752.061286][T15787] binder: 15778:15787 transaction failed 29201/-22, size 4207275206852263508--1691962069927773856 line 3148 [ 752.070441][T15783] binder: 15778:15783 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 752.151612][T15783] binder: 15778:15783 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 752.222649][T15783] binder: 15778:15783 got transaction to invalid handle [ 752.238640][T15783] binder: 15778:15783 transaction failed 29201/-22, size 0-40 line 2995 [ 752.269708][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 752.304834][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:21 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(0x0, r2, 0x6, r1, 0xb) 08:36:21 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000", 0xf, 0x1400}], 0x0, 0x0) 08:36:21 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200), 0x0) 08:36:21 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r2, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r3, 0x300, 0x70bd28, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x80000001}}, ["", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x4008041) setsockopt$RXRPC_SECURITY_KEY(r1, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:21 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 752.711001][T15904] binder: 15900:15904 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 752.734040][T15898] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 752.755562][T15904] binder: 15900:15904 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 752.775655][T15898] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 752.802563][T15904] binder: 15900:15904 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 752.841141][T15904] binder: 15900:15904 got transaction to invalid handle [ 752.849390][T15898] F2FS-fs (loop3): Invalid blocksize (1), supports only 4KB [ 752.849390][T15898] [ 752.860870][T15904] binder: 15900:15904 transaction failed 29201/-22, size 0-40 line 2995 [ 752.885820][T15898] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock [ 752.933203][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:22 executing program 2: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:22 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200), 0x0) 08:36:22 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r2, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r3, 0x300, 0x70bd28, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x80000001}}, ["", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x4008041) 08:36:22 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f2010007000900000003000000", 0x10, 0x1400}], 0x0, 0x0) 08:36:22 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 753.165126][T16023] binder: 16019:16023 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 753.186132][T16024] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 753.206091][T16023] binder: 16019:16023 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:22 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{0x0}], 0x1) [ 753.216520][T16024] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 753.226027][T16023] binder: 16019:16023 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 753.249524][T16024] F2FS-fs (loop3): Invalid blocksize (1), supports only 4KB [ 753.249524][T16024] [ 753.272408][T16023] binder: 16019:16023 got transaction to invalid handle [ 753.283669][T16024] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock [ 753.302360][T16023] binder: 16019:16023 transaction failed 29201/-22, size 0-40 line 2995 08:36:22 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r2, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') [ 753.383953][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 753.505693][T16088] binder: 16072:16088 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 753.555626][T16088] binder: 16072:16088 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 753.598890][T16088] binder: 16072:16088 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 753.639000][T16088] binder: 16072:16088 got transaction to invalid handle [ 753.658872][T16088] binder: 16072:16088 transaction failed 29201/-22, size 0-40 line 2995 [ 753.725789][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:22 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(0x0, r2, 0x6, r1, 0xb) 08:36:22 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f2010007000900000003000000", 0x10, 0x1400}], 0x0, 0x0) 08:36:22 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r2, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r3, 0x300, 0x70bd28, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x80000001}}, ["", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x4008041) setsockopt$RXRPC_SECURITY_KEY(r1, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:22 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{0x0}], 0x1) 08:36:22 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r2, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) [ 753.910289][T16148] binder: 16147:16148 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 753.931114][T16151] binder: 16149:16151 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 753.957633][T16148] binder: 16147:16148 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 753.974858][T16151] binder: 16149:16151 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 753.989164][T16151] binder: 16149:16151 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 754.001237][T16153] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 754.016005][T16153] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 754.016435][T16148] binder: 16147:16148 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 754.034701][T16153] F2FS-fs (loop3): Invalid blocksize (1), supports only 4KB [ 754.034701][T16153] [ 754.056419][T16151] binder: 16149:16151 got transaction to invalid handle [ 754.063473][T16153] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock [ 754.067890][T16148] binder: 16147:16148 got transaction to invalid handle [ 754.102645][T16151] binder: 16149:16151 transaction failed 29201/-22, size 0-40 line 2995 [ 754.198312][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:23 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x0) r1 = syz_open_dev$mice(&(0x7f0000000140)='/dev/input/mice\x00', 0x0, 0x0) bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000240)={r1, &(0x7f00000001c0)="a3d814ed56"}, 0x10) openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2\x00', 0x101000, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, 0xffffffffffffffff) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="116348400000000000000000000002000000000000000d000000a1ad0e29bf540000000000"], 0x0, 0x0, 0x0}) 08:36:23 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{0x0}], 0x1) 08:36:23 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f2010007000900000003000000", 0x10, 0x1400}], 0x0, 0x0) 08:36:23 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:23 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r2, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r3, 0x300, 0x70bd28, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x80000001}}, ["", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x4008041) setsockopt$RXRPC_SECURITY_KEY(r1, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 754.538840][T16270] binder: 16268:16270 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 754.549956][T16272] binder: 16269:16272 DecRefs 0 refcount change on invalid ref 2 ret -22 08:36:23 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)}], 0x1) [ 754.588898][T16272] binder: 16269:16272 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 754.598753][T16270] binder: 16268:16270 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 754.608104][T16270] binder: 16268:16270 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 754.617482][T16274] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 754.639451][T16272] binder: 16269:16272 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 754.652730][T16274] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 754.676435][T16274] F2FS-fs (loop3): Invalid blocksize (1), supports only 4KB [ 754.676435][T16274] 08:36:23 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') [ 754.691345][T16272] binder: 16269:16272 got transaction to invalid handle [ 754.706102][T16274] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock [ 754.723253][T16270] binder: 16268:16270 got transaction to invalid handle 08:36:24 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:24 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)}], 0x1) 08:36:24 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c", 0x11}], 0x0, 0x0) 08:36:24 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') 08:36:24 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r2, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r3, 0x300, 0x70bd28, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x80000001}}, ["", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x4008041) setsockopt$RXRPC_SECURITY_KEY(r1, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:24 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') [ 755.197191][T16403] binder: BINDER_SET_CONTEXT_MGR already set [ 755.210604][T16399] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 755.223427][T16403] binder: 16394:16403 ioctl 40046207 0 returned -16 [ 755.237743][T16404] binder: BINDER_SET_CONTEXT_MGR already set 08:36:24 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') 08:36:24 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)}], 0x1) [ 755.248118][T16399] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 755.271773][T16404] binder: 16395:16404 ioctl 40046207 0 returned -16 [ 755.285421][T16399] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) 08:36:24 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') [ 755.318898][T16399] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:24 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f640094000500", 0x2c}], 0x1) 08:36:24 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:24 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c", 0x11}], 0x0, 0x0) [ 755.477255][T16510] binder: BINDER_SET_CONTEXT_MGR already set [ 755.533269][T16510] binder: 16466:16510 ioctl 40046207 0 returned -16 [ 755.681350][T16526] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 755.762367][T16526] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 755.779273][T16526] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 755.792626][T16526] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:25 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:25 executing program 3: syz_mount_image$f2fs(&(0x7f0000000240)='f2fs\x00', &(0x7f0000000000)='./file0\x00', 0x0, 0x1, &(0x7f0000000200)=[{&(0x7f00000000c0)="1020f5f20100070009000000030000000c", 0x11}], 0x0, 0x0) 08:36:25 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f640094000500", 0x2c}], 0x1) 08:36:25 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r2, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r3, 0x300, 0x70bd28, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x80000001}}, ["", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x4008041) 08:36:25 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:25 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') [ 756.190388][T16548] binder_thread_write: 7 callbacks suppressed [ 756.190403][T16548] binder: 16543:16548 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 756.190414][T16550] binder: 16541:16550 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 756.190454][T16550] binder_thread_write: 7 callbacks suppressed [ 756.190462][T16550] binder: 16541:16550 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 756.203789][T16544] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) 08:36:25 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f640094000500", 0x2c}], 0x1) [ 756.240388][T16549] binder: 16540:16549 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 756.255314][T16548] binder: 16543:16548 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 756.276624][T16549] binder: 16540:16549 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 756.292865][T16548] binder_thread_write: 7 callbacks suppressed [ 756.292882][T16548] binder: 16543:16548 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 756.321217][T16548] binder_transaction: 7 callbacks suppressed [ 756.321233][T16548] binder: 16543:16548 got transaction to invalid handle [ 756.343997][T16550] binder: 16541:16550 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 756.354770][T16617] binder: BINDER_SET_CONTEXT_MGR already set [ 756.354791][T16549] binder: 16540:16549 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 756.354815][T16549] binder: 16540:16549 got transaction to invalid handle [ 756.377458][T16617] binder: 16540:16617 ioctl 40046207 0 returned -16 [ 756.389552][T16544] F2FS-fs (loop3): Can't find valid F2FS filesystem in 1th superblock [ 756.399025][T16548] binder_transaction: 11 callbacks suppressed [ 756.399054][T16548] binder: 16543:16548 transaction failed 29201/-22, size 0-40 line 2995 [ 756.407377][T16544] F2FS-fs (loop3): Magic Mismatch, valid(0xf2f52010) - read(0x0) [ 756.429847][T16544] F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock 08:36:25 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000", 0x42}], 0x1) [ 756.439622][T16550] binder: 16541:16550 got transaction to invalid handle [ 756.444243][T16549] binder: 16540:16549 transaction failed 29201/-22, size 0-40 line 2995 [ 756.468876][T16550] binder: 16541:16550 transaction failed 29201/-22, size 0-40 line 2995 08:36:25 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r2, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r3, 0x300, 0x70bd28, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x80000001}}, ["", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x4008041) 08:36:25 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 756.565337][T13002] binder_release_work: 11 callbacks suppressed [ 756.565345][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:25 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) [ 756.613846][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:25 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000", 0x42}], 0x1) [ 756.678262][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 756.732222][T16670] binder: 16666:16670 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 756.751693][T16673] binder: 16667:16673 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 756.772342][T16670] binder: 16666:16670 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:25 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:25 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 756.785790][T16673] binder: 16667:16673 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 756.804622][T16670] binder: 16666:16670 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 756.829434][T16673] binder: 16667:16673 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 756.850612][T16670] binder: 16666:16670 got transaction to invalid handle [ 756.864544][T16680] binder: 16671:16680 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 756.879693][T16673] binder: 16667:16673 got transaction to invalid handle 08:36:25 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000", 0x42}], 0x1) [ 756.889812][T16670] binder: 16666:16670 transaction failed 29201/-22, size 0-40 line 2995 [ 756.908216][T16673] binder: 16667:16673 transaction failed 29201/-22, size 0-40 line 2995 [ 756.924068][T16680] binder: 16671:16680 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:25 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 756.973190][T16686] binder: BINDER_SET_CONTEXT_MGR already set [ 757.002721][T16680] binder: 16671:16680 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 757.007977][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:25 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002", 0x4d}], 0x1) [ 757.025092][T16686] binder: 16671:16686 ioctl 40046207 0 returned -16 [ 757.057848][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:26 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r2, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000140)={&(0x7f0000000100)={0x24, r3, 0x300, 0x70bd28, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x80000001}}, ["", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x4008041) [ 757.071191][T16680] binder: 16671:16680 got transaction to invalid handle [ 757.116566][T16680] binder: 16671:16680 transaction failed 29201/-22, size 0-40 line 2995 [ 757.121020][T16795] binder: 16791:16795 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 757.151406][T16799] binder: 16797:16799 DecRefs 0 refcount change on invalid ref 2 ret -22 08:36:26 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002", 0x4d}], 0x1) 08:36:26 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) [ 757.177421][T16799] binder: 16797:16799 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 757.180105][T16795] binder: 16791:16795 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 757.211560][T16799] binder: 16797:16799 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 757.220977][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 757.240799][T16795] binder: 16791:16795 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 757.273153][T16799] binder: 16797:16799 got transaction to invalid handle [ 757.285809][T16795] binder: 16791:16795 got transaction to invalid handle [ 757.300286][T16799] binder: 16797:16799 transaction failed 29201/-22, size 0-40 line 2995 08:36:26 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002", 0x4d}], 0x1) [ 757.338421][T16811] binder: 16807:16811 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 757.355733][T16795] binder: 16791:16795 transaction failed 29201/-22, size 0-40 line 2995 [ 757.376374][T16811] binder: 16807:16811 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 757.434199][T16811] binder: 16807:16811 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 757.466227][T16811] binder: 16807:16811 got transaction to invalid handle 08:36:26 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:26 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r2, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') setsockopt$RXRPC_SECURITY_KEY(r1, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 757.481097][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 757.488641][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 757.498167][T16811] binder: 16807:16811 transaction failed 29201/-22, size 0-40 line 2995 08:36:26 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900", 0x53}], 0x1) [ 757.618922][T16916] binder: 16915:16916 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 757.627442][T16916] binder: 16915:16916 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 757.628946][T16919] binder: 16918:16919 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 757.666696][T16919] binder: 16918:16919 got transaction to invalid handle [ 757.670860][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 757.709491][T16916] binder: 16915:16916 transaction failed 29201/-22, size 0-40 line 2995 [ 757.735545][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:26 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x0, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:26 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:26 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:26 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900", 0x53}], 0x1) 08:36:26 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:26 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r2, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00') setsockopt$RXRPC_SECURITY_KEY(r1, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:27 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:27 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900", 0x53}], 0x1) 08:36:27 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) sendmsg$TIPC_CMD_GET_LINKS(r1, &(0x7f0000000400)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x24, r2, 0x420, 0x70bd26, 0x25dfdbfb, {{}, 0x0, 0x4, 0x0, {0x8, 0x11, 0x2}}, ["", "", "", "", ""]}, 0x24}, 0x1, 0x0, 0x0, 0x4000050}, 0x4) setsockopt$RXRPC_SECURITY_KEY(r1, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:27 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:27 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004", 0x56}], 0x1) 08:36:27 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$netlink_NETLINK_NO_ENOBUFS(r1, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) setsockopt$RXRPC_SECURITY_KEY(r1, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:27 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x0, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:27 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x0, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:27 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:27 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:27 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) syz_genetlink_get_family_id$tipc(&(0x7f0000000240)='TIPC\x00') setsockopt$RXRPC_SECURITY_KEY(r1, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:27 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004", 0x56}], 0x1) 08:36:28 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:28 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x7, 0x8100) setsockopt$RXRPC_SECURITY_KEY(r1, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:28 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004", 0x56}], 0x1) 08:36:28 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:28 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fc", 0x57}], 0x1) 08:36:28 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:28 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x0, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:29 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x0, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:29 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:29 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:29 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:29 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fc", 0x57}], 0x1) 08:36:29 executing program 5: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:29 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:29 executing program 4: r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") r1 = socket$netlink(0x10, 0x3, 0x8000000004) writev(r1, &(0x7f0000000200)=[{&(0x7f0000000100)="580000001400192340834b80040d8c560a067fbc45ff810500000000000058000b480400945f64009400050028925ae9ffffffffffffff8000f0fffeffe809000000fff5dd0000001000010002081000414900000004fc", 0x57}], 0x1) 08:36:29 executing program 2: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:29 executing program 2: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:29 executing program 5: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:29 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r2, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) madvise(&(0x7f0000779000/0x600000)=nil, 0x600000, 0x1000000000009) prctl$PR_TASK_PERF_EVENTS_DISABLE(0x1f) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:30 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:30 executing program 2: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r2, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) madvise(&(0x7f0000779000/0x600000)=nil, 0x600000, 0x1000000000009) prctl$PR_TASK_PERF_EVENTS_DISABLE(0x1f) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:30 executing program 5: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:30 executing program 2: syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:30 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 761.244577][T17162] binder: 17160:17162 ioctl c0306201 20000200 returned -14 08:36:30 executing program 5: syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r2, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) madvise(&(0x7f0000779000/0x600000)=nil, 0x600000, 0x1000000000009) prctl$PR_TASK_PERF_EVENTS_DISABLE(0x1f) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:30 executing program 2: syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:30 executing program 5: syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 761.563337][T17179] binder: 17178:17179 ioctl c0306201 20000200 returned -14 [ 761.685247][T17188] binder: 17187:17188 ioctl c0306201 20000200 returned -14 08:36:30 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:30 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r2, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) madvise(&(0x7f0000779000/0x600000)=nil, 0x600000, 0x1000000000009) prctl$PR_TASK_PERF_EVENTS_DISABLE(0x1f) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:30 executing program 2: syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:30 executing program 5: syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:30 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r2, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) madvise(&(0x7f0000779000/0x600000)=nil, 0x600000, 0x1000000000009) prctl$PR_TASK_PERF_EVENTS_DISABLE(0x1f) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:30 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:30 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:30 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 762.002697][T17201] binder: 17199:17201 ioctl c0306201 20000200 returned -14 [ 762.032054][T17202] binder: BINDER_SET_CONTEXT_MGR already set [ 762.068896][T17202] binder: 17200:17202 ioctl 40046207 0 returned -16 [ 762.094448][T17210] binder: 17200:17210 ioctl c0306201 20000200 returned -14 08:36:31 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r2, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) madvise(&(0x7f0000779000/0x600000)=nil, 0x600000, 0x1000000000009) prctl$PR_TASK_PERF_EVENTS_DISABLE(0x1f) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:31 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) [ 762.116064][T17208] binder_thread_write: 13 callbacks suppressed [ 762.116079][T17208] binder: 17207:17208 DecRefs 0 refcount change on invalid ref 2 ret -22 08:36:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r2, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) madvise(&(0x7f0000779000/0x600000)=nil, 0x600000, 0x1000000000009) prctl$PR_TASK_PERF_EVENTS_DISABLE(0x1f) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 762.204786][T17208] binder_thread_write: 13 callbacks suppressed [ 762.204795][T17208] binder: 17207:17208 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 762.250987][T17219] binder: 17215:17219 ioctl c0306201 20000200 returned -14 [ 762.266923][T17208] binder_thread_write: 13 callbacks suppressed [ 762.266938][T17208] binder: 17207:17208 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 762.288373][T17208] binder_transaction: 13 callbacks suppressed [ 762.288383][T17208] binder: 17207:17208 got transaction to invalid handle [ 762.335103][T17208] binder_transaction: 13 callbacks suppressed [ 762.335122][T17208] binder: 17207:17208 transaction failed 29201/-22, size 0-40 line 2995 [ 762.384895][ T17] binder_release_work: 13 callbacks suppressed [ 762.384902][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 762.391233][T17226] binder: 17221:17226 ioctl c0306201 20000200 returned -14 08:36:31 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x0, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:31 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:31 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:31 executing program 3: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r0, &(0x7f0000000080)='threaded\x00', 0x9) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r1, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) madvise(&(0x7f0000779000/0x600000)=nil, 0x600000, 0x1000000000009) prctl$PR_TASK_PERF_EVENTS_DISABLE(0x1f) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) 08:36:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r2, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) madvise(&(0x7f0000779000/0x600000)=nil, 0x600000, 0x1000000000009) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:31 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:31 executing program 0: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 762.876468][T17239] binder: 17238:17239 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 762.890685][T17237] binder: 17236:17237 ioctl c0306201 20000200 returned -14 [ 762.911387][T17239] binder: 17238:17239 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:31 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) 08:36:31 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r2, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:31 executing program 3: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r0, &(0x7f0000000080)='threaded\x00', 0x9) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r1, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) madvise(&(0x7f0000779000/0x600000)=nil, 0x600000, 0x1000000000009) prctl$PR_TASK_PERF_EVENTS_DISABLE(0x1f) [ 762.942338][T17239] binder: 17238:17239 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:31 executing program 0: syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 763.026425][T17239] binder: 17238:17239 got transaction to invalid handle [ 763.069512][T17251] binder: 17247:17251 ioctl c0306201 0 returned -14 [ 763.080370][T17254] binder: 17252:17254 ioctl c0306201 20000200 returned -14 [ 763.100055][T17239] binder: 17238:17239 transaction failed 29201/-22, size 0-40 line 2995 08:36:32 executing program 0: syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 763.135911][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:32 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x0, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:32 executing program 3: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r0, &(0x7f0000000080)='threaded\x00', 0x9) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r1, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) madvise(&(0x7f0000779000/0x600000)=nil, 0x600000, 0x1000000000009) 08:36:32 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:32 executing program 0: syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:32 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) 08:36:32 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 763.655249][T17272] binder: 17271:17272 ioctl c0306201 20000200 returned -14 [ 763.666661][T17276] binder: 17273:17276 ioctl c0306201 0 returned -14 08:36:32 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) 08:36:32 executing program 3: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r0, &(0x7f0000000080)='threaded\x00', 0x9) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r1, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) 08:36:32 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:32 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 763.857391][T17295] binder: 17294:17295 ioctl c0306201 0 returned -14 [ 763.895535][T17296] binder: 17292:17296 transaction failed 29189/-22, size 84-0 line 2995 [ 763.963845][ T17] binder: undelivered TRANSACTION_ERROR: 29189 08:36:33 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x0, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:33 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x0, 0x0, 0x0, 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:33 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:33 executing program 3: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r0, &(0x7f0000000080)='threaded\x00', 0x9) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) 08:36:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:33 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:33 executing program 3: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r0, &(0x7f0000000080)='threaded\x00', 0x9) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) [ 764.389279][T17317] binder: 17315:17317 ioctl c0306201 0 returned -14 [ 764.390634][T17312] binder: 17311:17312 transaction failed 29189/-22, size 84-0 line 2995 08:36:33 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x0, 0x0, 0x0, 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) [ 764.436575][T13002] binder: undelivered TRANSACTION_ERROR: 29189 08:36:33 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:33 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:33 executing program 3: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r0, &(0x7f0000000080)='threaded\x00', 0x9) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) 08:36:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 764.606328][T17331] binder: 17330:17331 transaction failed 29189/-22, size 84-0 line 2995 [ 764.652751][T17337] binder: 17333:17337 ioctl c0306201 0 returned -14 [ 764.683068][T13002] binder: undelivered TRANSACTION_ERROR: 29189 08:36:34 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0x0, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:34 executing program 3: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r0, &(0x7f0000000080)='threaded\x00', 0x9) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r1, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) 08:36:34 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x0, 0x0, 0x0, 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:34 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:34 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:34 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x0, 0x0, 0x0, 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 765.171459][T17350] binder: 17349:17350 ioctl c0306201 20000200 returned -14 [ 765.179560][T17354] binder: 17351:17354 ioctl c0306201 0 returned -14 [ 765.199575][T17353] binder: 17352:17353 ioctl c0306201 0 returned -14 08:36:34 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x24, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:34 executing program 3: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r0, &(0x7f0000000080)='threaded\x00', 0x9) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) 08:36:34 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r1, &(0x7f0000000080)='threaded\x00', 0x9) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:34 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x0, 0x0, 0x0, 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 765.383132][T17370] binder: 17366:17370 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 765.414621][T17372] binder: 17371:17372 ioctl c0306201 20000200 returned -14 [ 765.425004][T17370] binder: 17366:17370 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 765.449265][T17374] binder: 17373:17374 ioctl c0306201 0 returned -14 [ 765.486220][T17370] binder: 17366:17370 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:34 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0x0, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:34 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x0, 0x0, 0x0, 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:34 executing program 3: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) 08:36:34 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:34 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:34 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:34 executing program 3: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) [ 765.991781][T17394] binder: 17393:17394 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 766.004847][T17397] binder: 17388:17397 ioctl c0306201 20000200 returned -14 [ 766.012359][T17392] binder: 17391:17392 ioctl c0306201 0 returned -14 [ 766.020660][T17394] binder: 17393:17394 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:35 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x0, 0x0, 0x0, 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:35 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x24, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 766.069226][T17394] binder: 17393:17394 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 766.175407][T17407] binder: 17405:17407 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 766.188567][T17409] binder: 17408:17409 ioctl c0306201 20000200 returned -14 08:36:35 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:35 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x0, 0x0, 0x0, 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 766.216759][T17407] binder: 17405:17407 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 766.245169][T17407] binder: 17405:17407 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 766.281285][T17413] binder: 17412:17413 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 766.317438][T17413] binder: 17412:17413 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 766.343162][T17413] binder: 17412:17413 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:35 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0x0, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:35 executing program 4: mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:35 executing program 3: mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) 08:36:35 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x0, 0x0, 0x0, 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:35 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:35 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 766.752882][T17433] binder: 17432:17433 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 766.789061][T17436] binder: 17434:17436 DecRefs 0 refcount change on invalid ref 2 ret -22 08:36:35 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x24, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:35 executing program 4: mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 766.799012][T17433] binder: 17432:17433 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 766.813646][T17436] binder: 17434:17436 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 766.829822][T17433] binder: 17432:17433 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:35 executing program 3: mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c832, 0xffffffffffffffff, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) [ 766.867097][T17436] binder: 17434:17436 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 766.893278][T17443] binder: 17442:17443 DecRefs 0 refcount change on invalid ref 2 ret -22 08:36:35 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x14, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) [ 766.914755][T17443] binder: 17442:17443 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:35 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x10, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 766.976426][T17443] binder: 17442:17443 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:35 executing program 4: mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 767.016692][T17451] binder: 17448:17451 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 767.046632][T17453] binder: 17452:17453 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:36 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:36 executing program 3: mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x10, 0xffffffffffffffff, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) 08:36:36 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x24, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:36 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x14, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:36 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0xc, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:36 executing program 4: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:36 executing program 3: mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x10, 0xffffffffffffffff, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) 08:36:36 executing program 4: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 767.566604][T17569] binder_thread_write: 1 callbacks suppressed [ 767.566621][T17569] binder: 17568:17569 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 767.570714][T17574] binder: 17572:17574 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 767.583727][T17569] binder_thread_write: 1 callbacks suppressed [ 767.583738][T17569] binder: 17568:17569 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 767.605651][T17576] binder: 17575:17576 DecRefs 0 refcount change on invalid ref 2 ret -22 08:36:36 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0xc, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 767.674451][T17574] binder: 17572:17574 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:36 executing program 3: mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x10, 0xffffffffffffffff, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) 08:36:36 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x14, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) [ 767.719426][T17574] binder: 17572:17574 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 767.772965][T17588] binder: 17586:17588 DecRefs 0 refcount change on invalid ref 2 ret -22 08:36:36 executing program 4: r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 767.828249][T17642] binder: 17638:17642 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 767.884437][T17642] binder: 17638:17642 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:37 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x0, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:37 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0xc, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:37 executing program 3: mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c832, 0xffffffffffffffff, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x0) 08:36:37 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x24, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:37 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x24, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:37 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 768.436686][T17712] binder: 17711:17712 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 768.453370][T17714] binder: 17707:17714 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 768.463155][T17715] binder: 17713:17715 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 768.464962][T17716] binder: 17708:17716 ioctl c0306201 20000200 returned -14 08:36:37 executing program 3: mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c832, 0xffffffffffffffff, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x0) 08:36:37 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) [ 768.482322][T17712] binder: 17711:17712 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 768.495006][T17712] binder: 17711:17712 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 768.505096][T17715] binder: 17713:17715 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:37 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0xc, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @register_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 768.548958][T17715] binder: 17713:17715 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:37 executing program 3: mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c832, 0xffffffffffffffff, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x0) 08:36:37 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x24, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) [ 768.657203][T17821] binder: 17812:17821 ioctl c0306201 20000200 returned -14 08:36:37 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x0, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 768.698998][T17826] binder: 17824:17826 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 768.707531][T17826] binder: 17824:17826 ERROR: BC_REGISTER_LOOPER called without request [ 768.779852][T17832] binder: 17829:17832 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 768.818961][T17832] binder: 17829:17832 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 768.854787][T17832] binder: 17829:17832 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 768.892529][T17841] binder: 17840:17841 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 768.921052][T17841] binder: 17840:17841 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 768.934087][T17841] binder: 17840:17841 transaction failed 29189/-22, size 0-40 line 2995 [ 769.038376][T13002] binder: undelivered TRANSACTION_ERROR: 29189 08:36:38 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x0, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:38 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:38 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:38 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0xc, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @register_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:38 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:38 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x0, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 769.323023][T17949] binder: 17948:17949 ERROR: BC_REGISTER_LOOPER called without request [ 769.337173][T17954] binder: 17950:17954 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 769.351164][T17953] binder: 17951:17953 ioctl c0306201 20000200 returned -14 [ 769.365752][T17955] binder: 17946:17955 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:38 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:38 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:38 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0xc, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @register_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 769.399720][T17955] binder: 17946:17955 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 769.419386][T17955] binder: 17946:17955 transaction failed 29189/-22, size 0-40 line 2995 [ 769.500059][T17966] binder: 17965:17966 ERROR: BC_REGISTER_LOOPER called without request [ 769.500753][T17962] binder: 17961:17962 transaction failed 29189/-22, size 84-0 line 2995 [ 769.532655][T17969] binder: 17968:17969 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 769.565592][ T17] binder: undelivered TRANSACTION_ERROR: 29189 08:36:38 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:38 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:38 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x8, 0x0, &(0x7f00000004c0)=[@enter_looper, @register_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) [ 769.639755][T13002] binder: undelivered TRANSACTION_ERROR: 29189 [ 769.745560][T18073] binder: 18072:18073 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 769.754960][T18076] binder: 18074:18076 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 769.764290][T18078] binder: 18075:18078 transaction failed 29189/-22, size 84-0 line 2995 [ 769.822013][ T17] binder: undelivered TRANSACTION_ERROR: 29189 08:36:39 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x0, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:39 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x1c, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:39 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x0, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:39 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x8, 0x0, &(0x7f00000004c0)=[@enter_looper, @register_looper], 0x0, 0x0, 0x0}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440)=0x5, 0x4) 08:36:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:39 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 770.408193][T18090] binder: 18089:18090 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 770.425581][T18094] binder: 18091:18094 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 770.439786][T18093] binder: 18092:18093 transaction failed 29189/-22, size 84-0 line 2995 08:36:39 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x8, 0x0, &(0x7f00000004c0)=[@enter_looper, @register_looper], 0x0, 0x0, 0x0}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, 0x0, 0x0) [ 770.456078][T18097] binder: 18095:18097 transaction failed 29189/-22, size 0-40 line 2995 [ 770.468891][T13002] binder: undelivered TRANSACTION_ERROR: 29189 08:36:39 executing program 4: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:39 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x1c, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:39 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x8, 0x0, &(0x7f00000004c0)=[@enter_looper, @register_looper], 0x0, 0x0, 0x0}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, 0x0, 0x0) 08:36:39 executing program 4: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:39 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x0, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 770.693809][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 770.789793][T18220] binder: 18218:18220 got transaction to invalid handle [ 770.830096][T18220] binder: 18218:18220 transaction failed 29201/-22, size 0-40 line 2995 [ 770.985945][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:40 executing program 4: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:40 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x1c, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:40 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x8, 0x0, &(0x7f00000004c0)=[@enter_looper, @register_looper], 0x0, 0x0, 0x0}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, 0x0, 0x0) 08:36:40 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x0, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:40 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:40 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x0, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:40 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x18, 0x0, &(0x7f00000004c0)=[@enter_looper, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) [ 771.509196][T18336] binder: 18334:18336 got transaction to invalid handle 08:36:40 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x8, 0x0, &(0x7f00000004c0)=[@enter_looper, @register_looper], 0x0, 0x0, 0x0}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440), 0x4) [ 771.552035][T18336] binder: 18334:18336 transaction failed 29201/-22, size 0-40 line 2995 08:36:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) 08:36:40 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x18, 0x0, &(0x7f00000004c0)=[@enter_looper, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:40 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x8, 0x0, &(0x7f00000004c0)=[@enter_looper, @register_looper], 0x0, 0x0, 0x0}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440), 0x4) [ 771.733017][T18351] binder: 18350:18351 ioctl c0306201 0 returned -14 08:36:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) 08:36:40 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x18, 0x0, &(0x7f00000004c0)=[@enter_looper, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:40 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x0, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:40 executing program 5: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x8, 0x0, &(0x7f00000004c0)=[@enter_looper, @register_looper], 0x0, 0x0, 0x0}) setsockopt$netlink_NETLINK_NO_ENOBUFS(0xffffffffffffffff, 0x10e, 0x5, &(0x7f0000000440), 0x4) [ 771.896809][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 771.961333][T18463] binder: 18462:18463 ioctl c0306201 0 returned -14 08:36:40 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs, @enter_looper, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) [ 772.032451][T18470] binder: 18467:18470 got transaction to invalid handle [ 772.114533][T18470] binder: 18467:18470 transaction failed 29201/-22, size 0-40 line 2995 [ 772.254933][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:41 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x0, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:41 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x0, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:41 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x0, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0) 08:36:41 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs, @enter_looper, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) 08:36:41 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 772.751325][T18589] binder: 18584:18589 ioctl c0306201 0 returned -14 [ 772.764381][T18591] binder_thread_write: 15 callbacks suppressed [ 772.764407][T18591] binder: 18585:18591 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 772.779608][T18588] binder: 18586:18588 DecRefs 0 refcount change on invalid ref 0 ret -22 08:36:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) [ 772.806505][T18588] binder_thread_write: 10 callbacks suppressed [ 772.806518][T18588] binder: 18586:18588 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 772.808939][T18591] binder_thread_write: 10 callbacks suppressed [ 772.808949][T18591] binder: 18585:18591 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:41 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs, @enter_looper, @request_death, @exit_looper], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) [ 772.889361][T18591] binder: 18585:18591 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 772.890377][T18599] binder: 18597:18599 ioctl c0306201 20000200 returned -14 [ 772.936900][T18591] binder: 18585:18591 got transaction to invalid handle [ 772.983616][T18625] binder: 18624:18625 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 773.007861][T18591] binder: 18585:18591 transaction failed 29201/-22, size 0-40 line 2995 [ 773.022191][T18625] binder: 18624:18625 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:42 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x0, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:42 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x0, 0x0, 0x0}) 08:36:42 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 773.210978][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 773.296322][T18715] binder: 18714:18715 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 773.304312][T18720] binder: 18718:18720 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 773.323170][T18720] binder: 18718:18720 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 773.345955][T18715] binder: 18714:18715 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 773.384369][T18715] binder: 18714:18715 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:42 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x0, 0x0, 0x0}) [ 773.417870][T18715] binder: 18714:18715 got transaction to invalid handle [ 773.564454][T18826] binder: 18814:18826 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 773.628793][T18826] binder: 18814:18826 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:42 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x0, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:43 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x0, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:43 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:43 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x0, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:43 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x0, 0x0, 0x0}) 08:36:43 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x0, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 774.257237][T18838] binder: 18833:18838 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 774.266953][T18839] binder: 18834:18839 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 774.292147][T18838] binder: 18833:18838 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 774.315679][T18839] binder: 18834:18839 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 774.327027][T18838] binder: 18833:18838 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 774.351253][T18838] binder: 18833:18838 got transaction to invalid handle [ 774.392644][T18838] binder_transaction: 1 callbacks suppressed [ 774.392665][T18838] binder: 18833:18838 transaction failed 29201/-22, size 0-40 line 2995 08:36:43 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x0, 0x0, &(0x7f0000000540)}) 08:36:43 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, 0x0, &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 774.601262][ T17] binder_release_work: 1 callbacks suppressed [ 774.601271][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 774.637091][T18958] binder: 18955:18958 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 774.684702][T18958] binder: 18955:18958 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:43 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x0, 0x0, &(0x7f0000000540)}) [ 774.726572][T18961] binder: 18960:18961 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 774.738808][T18961] binder: 18960:18961 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 774.804328][T18961] binder: 18960:18961 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:43 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x0, 0x0, &(0x7f0000000540)}) [ 774.878045][T18961] binder: 18960:18961 got transaction to invalid handle [ 774.954244][T18961] binder: 18960:18961 transaction failed 29201/-22, size 0-40 line 2995 08:36:43 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, 0x0, &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:43 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x1d, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f"}) [ 775.042343][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 775.358835][T19073] binder: 19072:19073 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:44 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x0, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 775.399912][T19073] binder: 19072:19073 got transaction to invalid handle [ 775.430237][T19073] binder: 19072:19073 transaction failed 29201/-22, size 0-40 line 2995 08:36:44 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x0, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:44 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x1d, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f"}) 08:36:44 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x0, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:44 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x1d, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f"}) [ 775.639003][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:44 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x0, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:44 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, 0x0, &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:44 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x2b, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea"}) [ 775.747453][T19187] binder: 19186:19187 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 775.818257][T19187] binder: 19186:19187 got transaction to invalid handle [ 775.842122][T19187] binder: 19186:19187 transaction failed 29201/-22, size 0-40 line 2995 08:36:44 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x2b, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea"}) 08:36:45 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000440), 0x0}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:45 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x2b, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea"}) [ 776.075305][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 776.181036][T19316] binder: 19315:19316 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 776.211196][T19316] binder: 19315:19316 got transaction to invalid handle 08:36:45 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x32, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3"}) [ 776.238789][T19316] binder: 19315:19316 transaction failed 29201/-22, size 0-0 line 2995 [ 776.400198][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:45 executing program 3: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = openat$selinux_avc_cache_stats(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/avc/cache_stats\x00', 0x0, 0x0) write$cgroup_type(r0, &(0x7f0000000080)='threaded\x00', 0x9) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x3, 0x5c832, r1, 0x0) mprotect(&(0x7f0000a00000/0x600000)=nil, 0x600000, 0x7) 08:36:45 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x32, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3"}) 08:36:45 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000440), 0x0}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:45 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0x0, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:45 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x0, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 776.915362][T19429] binder: 19426:19429 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 776.974091][T19429] binder: 19426:19429 got transaction to invalid handle [ 777.018792][T19429] binder: 19426:19429 transaction failed 29201/-22, size 0-0 line 2995 08:36:46 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x0, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:46 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x32, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3"}) 08:36:46 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x0, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:46 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000440), 0x0}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:46 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x36, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd"}) [ 777.248951][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 777.323648][T19548] binder: 19547:19548 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 777.378905][T19548] binder: 19547:19548 got transaction to invalid handle [ 777.408812][T19548] binder: 19547:19548 transaction failed 29201/-22, size 0-0 line 2995 08:36:46 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x36, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd"}) 08:36:46 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:46 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x36, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd"}) [ 777.589038][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 777.669860][T19663] binder: 19662:19663 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 777.702320][T19663] binder: 19662:19663 got transaction to invalid handle [ 777.726203][T19663] binder: 19662:19663 transaction failed 29201/-22, size 0-32 line 2995 08:36:46 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x38, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec0"}) 08:36:46 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 777.898353][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 777.936806][T19772] binder_thread_write: 20 callbacks suppressed [ 777.936822][T19772] binder: 19770:19772 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 777.991361][T19774] binder: 19773:19774 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 778.006985][T19772] binder_thread_write: 20 callbacks suppressed [ 778.006999][T19772] binder: 19770:19772 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 778.032307][T19774] binder: 19773:19774 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 778.057840][T19774] binder: 19773:19774 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:47 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0x0, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:47 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x0, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 778.114684][T19774] binder: 19773:19774 got transaction to invalid handle [ 778.139268][T19774] binder: 19773:19774 transaction failed 29201/-22, size 0-32 line 2995 [ 778.279247][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:47 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x0, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:47 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x38, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec0"}) 08:36:47 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:47 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x0, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 778.638534][T19891] binder: 19889:19891 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 778.657766][T19892] binder: 19890:19892 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 778.677126][T19891] binder: 19889:19891 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:47 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x20, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death, @exit_looper], 0x38, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec0"}) [ 778.731854][T19892] binder: 19890:19892 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 778.809396][T19892] binder: 19890:19892 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 778.846336][T19892] binder: 19890:19892 got transaction to invalid handle [ 778.855492][T19957] binder: 19956:19957 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 778.878228][T19892] binder: 19890:19892 transaction failed 29201/-22, size 0-32 line 2995 [ 778.888872][T19957] binder: 19956:19957 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:47 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 779.005568][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 779.116443][T20011] binder: 20010:20011 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 779.158853][T20011] binder: 20010:20011 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 779.172817][T20011] binder: 20010:20011 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 779.191387][T20011] binder: 20010:20011 got transaction to invalid handle 08:36:48 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 779.346378][T20114] binder: 20113:20114 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 779.408105][T20114] binder: 20113:20114 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:48 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0x0, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 779.450557][T20114] binder: 20113:20114 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 779.488111][T20114] binder: 20113:20114 got transaction to invalid handle 08:36:48 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x0, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 779.498818][T20114] binder_transaction: 1 callbacks suppressed [ 779.498839][T20114] binder: 20113:20114 transaction failed 29201/-22, size 0-32 line 2995 08:36:48 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 779.744347][ T17] binder_release_work: 1 callbacks suppressed [ 779.744354][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 779.834714][T20225] binder: 20223:20225 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 779.849125][T20225] binder: 20223:20225 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 779.866146][T20225] binder: 20223:20225 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 779.887331][T20225] binder: 20223:20225 got transaction to invalid handle [ 779.911448][T20225] binder: 20223:20225 transaction failed 29201/-22, size 0-32 line 2995 08:36:48 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x0, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 780.008890][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:49 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x0, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:49 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 780.084266][T20331] binder: 20330:20331 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 780.128844][T20331] binder: 20330:20331 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 780.169253][T20331] binder: 20330:20331 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 780.235183][T20331] binder: 20330:20331 transaction failed 29201/-22, size 0-40 line 2995 08:36:49 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x0, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 780.336233][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 780.425805][T20439] binder: 20438:20439 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 780.455004][T20439] binder: 20438:20439 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 780.475803][T20439] binder: 20438:20439 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 780.491964][T20439] binder: 20438:20439 transaction failed 29201/-22, size 0-40 line 2995 08:36:49 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x0, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:49 executing program 2: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 780.637800][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 780.672897][T20549] binder: 20548:20549 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 780.727684][T20549] binder: 20548:20549 transaction failed 29201/-22, size 0-40 line 2995 08:36:49 executing program 2: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0xffffffffffffffff) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x200, 0xc0040) ioctl$KDGKBENT(r2, 0x4b46, &(0x7f0000000080)={0x81, 0x1, 0x10001}) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x25, 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="1163484000000000000000000000020000000000000000000000dd8651ad81a1ad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:49 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x0, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:49 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 780.949012][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:49 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) recvmmsg(0xffffffffffffffff, &(0x7f0000003500)=[{{0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000000)=""/115, 0x73}], 0x1}}], 0x1, 0x0, 0x0) r1 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') preadv(r1, &(0x7f0000000480), 0x10000000000002a1, 0x36) read$FUSE(r1, &(0x7f0000000240), 0x1000) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x20, 0x0, &(0x7f0000000080)=ANY=[@ANYBLOB="116363400000000000000000000002000000000000400000adff7fad0e29bf54"], 0x0, 0x0, 0x0}) [ 781.112812][T20658] binder: 20657:20658 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 781.147245][T20660] binder: 20659:20660 unknown command 1080255249 [ 781.156150][T20658] binder_transaction: 3 callbacks suppressed [ 781.156162][T20658] binder: 20657:20658 got transaction to invalid handle [ 781.182011][T20660] binder: 20659:20660 ioctl c0306201 20000200 returned -22 [ 781.239080][T20658] binder: 20657:20658 transaction failed 29201/-22, size 0-32 line 2995 08:36:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) recvmmsg(0xffffffffffffffff, &(0x7f0000003500)=[{{0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000000)=""/115, 0x73}], 0x1}}], 0x1, 0x0, 0x0) r1 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') preadv(r1, &(0x7f0000000480), 0x10000000000002a1, 0x36) read$FUSE(r1, &(0x7f0000000240), 0x1000) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x20, 0x0, &(0x7f0000000080)=ANY=[@ANYBLOB="116363400000000000000000000002000000000000400000adff7fad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) recvmmsg(0xffffffffffffffff, &(0x7f0000003500)=[{{0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000000)=""/115, 0x73}], 0x1}}], 0x1, 0x0, 0x0) r1 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') preadv(r1, &(0x7f0000000480), 0x10000000000002a1, 0x36) read$FUSE(r1, &(0x7f0000000240), 0x1000) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x20, 0x0, &(0x7f0000000080)=ANY=[@ANYBLOB="116363400000000000000000000002000000000000400000adff7fad0e29bf54"], 0x0, 0x0, 0x0}) [ 781.413059][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:50 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 781.463718][T20771] binder: 20769:20771 unknown command 1080255249 [ 781.487621][T20771] binder: 20769:20771 ioctl c0306201 20000200 returned -22 [ 781.527152][T20777] binder: 20776:20777 unknown command 1080255249 [ 781.565551][T20777] binder: 20776:20777 ioctl c0306201 20000200 returned -22 08:36:50 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:50 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) recvmmsg(0xffffffffffffffff, &(0x7f0000003500)=[{{0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000000)=""/115, 0x73}], 0x1}}], 0x1, 0x0, 0x0) r1 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') preadv(r1, &(0x7f0000000480), 0x10000000000002a1, 0x36) read$FUSE(r1, &(0x7f0000000240), 0x1000) r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r2, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000200)={0x20, 0x0, &(0x7f0000000080)=ANY=[@ANYBLOB="116363400000000000000000000002000000000000400000adff7fad0e29bf54"], 0x0, 0x0, 0x0}) 08:36:50 executing program 5: r0 = socket$netlink(0x10, 0x3, 0x4000000000000004) r1 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r1, &(0x7f0000000100)={0x2, 0x4e20}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r1, 0x6, 0xd, &(0x7f0000000000)='dctcp\x00', 0x6) r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000300)='/dev/vcs\x00', 0x10000, 0x0) ioctl$PERF_EVENT_IOC_MODIFY_ATTRIBUTES(r2, 0x4008240b, &(0x7f0000000200)={0x0, 0xfffffffffffffee5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0xfffffffffffffffc, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}) r3 = socket$inet_udplite(0x2, 0x2, 0x88) r4 = add_key$keyring(&(0x7f0000000340)='keyring\x00', &(0x7f0000000380)={'syz', 0x3}, 0x0, 0x0, 0xfffffffffffffffd) request_key(&(0x7f00000000c0)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, &(0x7f0000000180)='dctcp\x00', r4) ioctl(r3, 0x1000008914, &(0x7f0000000000)) socket$inet_udp(0x2, 0x2, 0x0) bind$inet(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) connect$inet(0xffffffffffffffff, 0x0, 0x0) ioctl$sock_ifreq(0xffffffffffffffff, 0x0, 0x0) setsockopt$inet_opts(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) setsockopt$inet_tcp_TCP_CONGESTION(0xffffffffffffffff, 0x6, 0xd, 0x0, 0x0) sysfs$3(0x3) getsockopt$IP_VS_SO_GET_VERSION(0xffffffffffffffff, 0x0, 0x480, 0x0, 0x0) setsockopt$netlink_NETLINK_BROADCAST_ERROR(0xffffffffffffffff, 0x10e, 0x4, 0x0, 0x0) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, 0x0, 0xfffffffffffffeaa) sendto$inet(r1, 0x0, 0x0, 0x20000000, &(0x7f0000000080)={0x2, 0x4e20}, 0x4f) sendto$inet(r1, &(0x7f0000000700)="f4", 0x1, 0x0, 0x0, 0x0) writev(r0, &(0x7f0000000040)=[{&(0x7f0000000280)="580000001400192340834b80040d8c5602067fffffff81000000000000dca87086a5c000004f6400940005891550f4a8000000006700008000f0fffeffff09000080fff5dd00000010000100000c0900fcff00", 0x53}], 0x1) [ 781.714075][T20788] binder: 20783:20788 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 781.733071][T20785] binder: 20784:20785 unknown command 1080255249 [ 781.749322][T20788] binder: 20783:20788 got transaction to invalid handle [ 781.758088][T20785] binder: 20784:20785 ioctl c0306201 20000200 returned -22 [ 781.772870][T20788] binder: 20783:20788 transaction failed 29201/-22, size 0-32 line 2995 08:36:50 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) recvmmsg(0xffffffffffffffff, &(0x7f0000003500)=[{{0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000000)=""/115, 0x73}], 0x1}}], 0x1, 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') preadv(r0, &(0x7f0000000480), 0x10000000000002a1, 0x36) read$FUSE(r0, &(0x7f0000000240), 0x1000) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) 08:36:50 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 781.997479][ T8159] binder: undelivered TRANSACTION_ERROR: 29201 08:36:51 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x0, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:51 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:51 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) recvmmsg(0xffffffffffffffff, &(0x7f0000003500)=[{{0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000000)=""/115, 0x73}], 0x1}}], 0x1, 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') preadv(r0, &(0x7f0000000480), 0x10000000000002a1, 0x36) read$FUSE(r0, &(0x7f0000000240), 0x1000) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x20011, r1, 0x0) [ 782.391352][T20913] binder: 20911:20913 got transaction to invalid handle 08:36:51 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) recvmmsg(0xffffffffffffffff, &(0x7f0000003500)=[{{0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000000)=""/115, 0x73}], 0x1}}], 0x1, 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') preadv(r0, &(0x7f0000000480), 0x10000000000002a1, 0x36) read$FUSE(r0, &(0x7f0000000240), 0x1000) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) [ 782.432882][T20913] binder: 20911:20913 transaction failed 29201/-22, size 0-32 line 2995 08:36:51 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x0, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 782.635695][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:51 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 782.742886][T21023] binder: 21022:21023 got transaction to invalid handle [ 782.775597][T21023] binder: 21022:21023 transaction failed 29201/-22, size 0-40 line 2995 [ 782.995580][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:52 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:52 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) recvmmsg(0xffffffffffffffff, &(0x7f0000003500)=[{{0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000000)=""/115, 0x73}], 0x1}}], 0x1, 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') preadv(r0, &(0x7f0000000480), 0x10000000000002a1, 0x36) read$FUSE(r0, &(0x7f0000000240), 0x1000) 08:36:52 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x0, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:52 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:52 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) recvmmsg(0xffffffffffffffff, &(0x7f0000003500)=[{{0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000000)=""/115, 0x73}], 0x1}}], 0x1, 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') read$FUSE(r0, &(0x7f0000000240), 0x1000) [ 783.254835][T21137] binder_thread_write: 5 callbacks suppressed [ 783.254849][T21137] binder: 21136:21137 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 783.309958][T21137] binder_thread_write: 2 callbacks suppressed [ 783.309970][T21137] binder: 21136:21137 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 783.364477][T21137] binder_thread_write: 5 callbacks suppressed [ 783.364492][T21137] binder: 21136:21137 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:52 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) recvmmsg(0xffffffffffffffff, &(0x7f0000003500)=[{{0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000000)=""/115, 0x73}], 0x1}}], 0x1, 0x0, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000000240), 0x1000) [ 783.459001][T21137] binder: 21136:21137 got transaction to invalid handle [ 783.527194][T21137] binder: 21136:21137 transaction failed 29201/-22, size 0-40 line 2995 08:36:52 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0x0, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:52 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) recvmmsg(0xffffffffffffffff, &(0x7f0000003500)=[{{0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000000)=""/115, 0x73}], 0x1}}], 0x1, 0x0, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000000240), 0x1000) 08:36:52 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x0, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 783.858395][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:52 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) recvmmsg(0xffffffffffffffff, &(0x7f0000003500)=[{{0x0, 0x0, &(0x7f0000002580)=[{&(0x7f0000000000)=""/115, 0x73}], 0x1}}], 0x1, 0x0, 0x0) read$FUSE(0xffffffffffffffff, &(0x7f0000000240), 0x1000) [ 783.927479][T21258] binder: 21257:21258 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 784.002197][T21258] binder: 21257:21258 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:36:53 executing program 2: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0x0, 0x200000000000) r0 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') read$FUSE(r0, &(0x7f0000000240), 0x1000) [ 784.048911][T21258] binder: 21257:21258 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 784.085741][T21258] binder: 21257:21258 got transaction to invalid handle 08:36:53 executing program 3: r0 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:53 executing program 4: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) ioctl$VIDIOC_S_EDID(0xffffffffffffffff, 0xc0285629, &(0x7f0000000340)={0x0, 0xfffffffffffffc01, 0x0, [], 0x0}) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:36:53 executing program 2: r0 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') read$FUSE(r0, &(0x7f0000000240), 0x1000) 08:36:53 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:53 executing program 5: r0 = openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x65da, 0x826, 0xfffffffffffffffa, 0x0, 0x3, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:53 executing program 2: r0 = syz_open_procfs(0x0, 0x0) read$FUSE(r0, &(0x7f0000000240), 0x1000) [ 784.699173][T21383] binder: 21380:21383 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 784.734575][T21383] binder: 21380:21383 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 784.782183][T21383] binder: 21380:21383 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 784.823657][T21383] binder: 21380:21383 got transaction to invalid handle [ 784.855344][T21383] binder_transaction: 1 callbacks suppressed [ 784.855367][T21383] binder: 21380:21383 transaction failed 29201/-22, size 0-32 line 2995 08:36:53 executing program 2: r0 = syz_open_procfs(0x0, 0x0) read$FUSE(r0, &(0x7f0000000240), 0x1000) [ 785.039176][ C1] sched: DL replenish lagged too much [ 785.076450][T13002] binder_release_work: 1 callbacks suppressed [ 785.076459][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:54 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0x0, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:54 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:54 executing program 2: r0 = syz_open_procfs(0x0, 0x0) read$FUSE(r0, &(0x7f0000000240), 0x1000) [ 785.528917][T21501] binder: 21500:21501 DecRefs 0 refcount change on invalid ref 2 ret -22 08:36:54 executing program 2: syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') read$FUSE(0xffffffffffffffff, &(0x7f0000000240), 0x1000) [ 785.572875][T21501] binder: 21500:21501 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 785.599276][T21501] binder: 21500:21501 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:54 executing program 2: syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') read$FUSE(0xffffffffffffffff, &(0x7f0000000240), 0x1000) [ 785.641345][T21501] binder: 21500:21501 got transaction to invalid handle [ 785.669118][T21501] binder: 21500:21501 transaction failed 29201/-22, size 0-32 line 2995 08:36:54 executing program 3: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) ioctl$VIDIOC_S_EDID(0xffffffffffffffff, 0xc0285629, &(0x7f0000000340)={0x0, 0xfffffffffffffc01, 0x0, [], 0x0}) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:36:54 executing program 2: syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') read$FUSE(0xffffffffffffffff, &(0x7f0000000240), 0x1000) 08:36:54 executing program 4: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) ioctl$VIDIOC_S_EDID(0xffffffffffffffff, 0xc0285629, &(0x7f0000000340)={0x0, 0xfffffffffffffc01, 0x0, [], 0x0}) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:36:54 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) ioctl$VIDIOC_S_EDID(0xffffffffffffffff, 0xc0285629, &(0x7f0000000340)={0x0, 0xfffffffffffffc01, 0x0, [], 0x0}) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:36:54 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 785.937720][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:55 executing program 2: r0 = syz_open_procfs(0x0, &(0x7f0000000100)='net/ip_mr_cache\x00') read$FUSE(r0, 0x0, 0x0) [ 786.054972][T21625] binder: 21624:21625 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 786.091873][T21625] binder: 21624:21625 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 786.192868][T21625] binder: 21624:21625 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:55 executing program 2: getrandom(&(0x7f0000000c40)=""/4096, 0x1000, 0x2) [ 786.281814][T21625] binder: 21624:21625 got transaction to invalid handle [ 786.289153][T21625] binder: 21624:21625 transaction failed 29201/-22, size 0-32 line 2995 [ 786.684967][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:55 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0x0, 0x1f, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:55 executing program 4: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) ioctl$VIDIOC_S_EDID(0xffffffffffffffff, 0xc0285629, &(0x7f0000000340)={0x0, 0xfffffffffffffc01, 0x0, [], 0x0}) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:36:55 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x0, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:55 executing program 2: pause() rt_sigpending(&(0x7f0000000000), 0x8) getrandom(&(0x7f0000000c40)=""/4096, 0x1000, 0x2) 08:36:55 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) ioctl$VIDIOC_S_EDID(0xffffffffffffffff, 0xc0285629, &(0x7f0000000340)={0x0, 0xfffffffffffffc01, 0x0, [], 0x0}) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:36:55 executing program 3: getrandom(&(0x7f0000000c40)=""/4096, 0x1000, 0x0) [ 787.034595][T21751] binder: 21748:21751 DecRefs 0 refcount change on invalid ref 2 ret -22 08:36:56 executing program 3: perf_event_open(&(0x7f0000940000)={0x2, 0x70, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_fanout(r0, 0x107, 0x12, &(0x7f0000000000)={0x0, 0x0, 0xfffffffffffffffe}, 0x4) r1 = socket$inet_udp(0x2, 0x2, 0x0) r2 = memfd_create(&(0x7f0000000040)='\x95Z\t\x00\x00\x00', 0x0) ftruncate(r2, 0x40001) setsockopt$inet_mtu(r1, 0x0, 0xa, &(0x7f00000000c0)=0x4, 0xfd88) connect$inet(r1, &(0x7f00000001c0)={0x2, 0x0, @loopback}, 0x10) sendfile(r1, r2, 0x0, 0xffe4) [ 787.214653][T21751] binder: 21748:21751 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 787.257197][T21751] binder: 21748:21751 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 787.287904][T21751] binder: 21748:21751 got transaction to invalid handle [ 787.300302][T21751] binder: 21748:21751 transaction failed 29201/-22, size 0-40 line 2995 [ 787.409463][ C0] net_ratelimit: 4 callbacks suppressed [ 787.409509][ C0] protocol 88fb is buggy, dev hsr_slave_0 [ 787.414145][T21778] IPv4: Oversized IP packet from 127.0.0.1 [ 787.415721][ C0] protocol 88fb is buggy, dev hsr_slave_1 [ 787.422421][ C1] IPv4: Oversized IP packet from 127.0.0.1 [ 787.559533][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 787.566282][ C1] protocol 88fb is buggy, dev hsr_slave_1 08:36:56 executing program 4: syz_execute_func(0x0) syz_execute_func(&(0x7f0000000040)="3666440f50f564ff0941c366440f56c9660f3a16649c6700c4617b12e5712d41dfd049b6100f11d46f") syz_execute_func(&(0x7f0000000280)="c4e379614832074a2be92c3e93980f053ef3aec4a37bf0c50141e2e922eb66d995f2144006262fc441e0c2250000000043660f8fc978c61ba16379637902000000f2d2dec461dc57b1e6250000c482514654fa00c4e2859ecf491e2f16c2e54cc54cbec5c54d0f2c718f56c442319ebb70fe6581f0430fc0b267f34cb4ba1c585641564105ba16f2ae66410f3a162888c423c96cb83d000000fe66410fd1e426660fdf53098f69609b5687a8e1430fae277cd8d8a1a12ad764c4213a5fc066420f383bd4643619ec0000f440646666413a0f3830ca30ca400f38253d0300000067ddeac4c2801d9c96c9e8e9362665e94612c8009ad0818194d8000f092ddd8f0b00c4a17ae64295007b1cffd2fb2e36646466264683b9080000000d5df82e440fdd0636b2aac4d9c70f485c5e2ea20f6baf00c4e3997841048c414c598374fb0a07b3ddaccd58f0fe4000edf20f1dbe001000001249e5c4a2a9924cbe0be5978047910002c1045c0b47cc47ccf92f5c65002d08000000439b420fae06a75e0f4401a9bb000042c4414974ecd53131fbdbc93bec") 08:36:56 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x0, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 787.683981][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:56 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) ioctl$VIDIOC_S_EDID(0xffffffffffffffff, 0xc0285629, &(0x7f0000000340)={0x0, 0xfffffffffffffc01, 0x0, [], 0x0}) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 787.757628][T21873] binder: 21872:21873 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 787.787694][T21873] binder: 21872:21873 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 787.832474][T21873] binder: 21872:21873 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 787.852256][T21873] binder: 21872:21873 got transaction to invalid handle 08:36:56 executing program 3: perf_event_open(&(0x7f0000940000)={0x2, 0x70, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_fanout(r0, 0x107, 0x12, &(0x7f0000000000)={0x0, 0x0, 0xfffffffffffffffe}, 0x4) r1 = socket$inet_udp(0x2, 0x2, 0x0) r2 = memfd_create(&(0x7f0000000040)='\x95Z\t\x00\x00\x00', 0x0) ftruncate(r2, 0x40001) setsockopt$inet_mtu(r1, 0x0, 0xa, &(0x7f00000000c0)=0x4, 0xfd88) connect$inet(r1, &(0x7f00000001c0)={0x2, 0x0, @loopback}, 0x10) sendfile(r1, r2, 0x0, 0xffe4) [ 787.995611][T21873] binder: 21872:21873 transaction failed 29201/-22, size 0-40 line 2995 08:36:57 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x0, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 788.100384][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 788.190239][T21987] binder: 21986:21987 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 788.198414][T21983] IPv4: Oversized IP packet from 127.0.0.1 [ 788.198871][T21987] binder: 21986:21987 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 788.204853][ C1] protocol 88fb is buggy, dev hsr_slave_0 [ 788.213634][T21987] binder: 21986:21987 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 788.219337][ C1] protocol 88fb is buggy, dev hsr_slave_1 [ 788.227252][T21987] binder: 21986:21987 got transaction to invalid handle [ 788.233213][ C1] IPv4: Oversized IP packet from 127.0.0.1 [ 788.245678][T21987] binder: 21986:21987 transaction failed 29201/-22, size 0-40 line 2995 [ 788.374650][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:36:57 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:57 executing program 3: perf_event_open(&(0x7f0000940000)={0x2, 0x70, 0xfffffffffffffffe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_fanout(r0, 0x107, 0x12, &(0x7f0000000000)={0x0, 0x0, 0xfffffffffffffffe}, 0x4) r1 = socket$inet_udp(0x2, 0x2, 0x0) r2 = memfd_create(&(0x7f0000000040)='\x95Z\t\x00\x00\x00', 0x0) ftruncate(r2, 0x40001) setsockopt$inet_mtu(r1, 0x0, 0xa, &(0x7f00000000c0)=0x4, 0xfd88) connect$inet(r1, &(0x7f00000001c0)={0x2, 0x0, @loopback}, 0x10) sendfile(r1, r2, 0x0, 0xffe4) 08:36:57 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) ioctl$VIDIOC_S_EDID(0xffffffffffffffff, 0xc0285629, &(0x7f0000000340)={0x0, 0xfffffffffffffc01, 0x0, [], 0x0}) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) 08:36:57 executing program 2: seccomp(0x1, 0x1, &(0x7f0000000180)={0x1, &(0x7f0000000000)=[{0x2000000006, 0x0, 0x0, 0xffffff7f7fffff7e}]}) pause() syz_execute_func(&(0x7f0000000780)="666647dec04a2be93699980f053ef3aec4a37bf0c50141e2e926b5c9459828213e3e400f2c18a30000262ff342906646da4e329200d2dec461dc55b1e6172525000e818f470f94c4813d5d942900800000800080801b859ecf8fe97c810f69e08f4cbec5c4c2858c3f8f56c4613fc21d9053c7ab86c4213e5377000043d9497dbf825959670f9fd08f696801d3c442fd3410564105ba16f2ae66410ffe3a16286c6c0fbc7b1f000000fe8f08e4a25600b1500909660fdf53098f49609a567b2c89e2897474d866dee4b60ffab288d78a0000004302660f38de8e85e1f32646dec43b7d0f12e400f4260fe88c4200000000ca30ca3e400f18cebb3cbb3c0209912af3430f47bb000000000000456c0f8450000000d0b62f818194d800d808dd4805c4426d960fc4a17ae64295589cffffc3bd7c6d8300c463315f7700000c0ce42ec4a17c1002970606b2aa260f38c9ba0f0000000f485c5e2ee1538374fb0a07c401f1eb27f247acecef36660f38058b976192361d09f4f5e5979747910002c1045c0b47cc47cc5c389f9f060f0f2ef246e16d4401a9bb000042d8fb4974ec0b31c4617ddd880c0000003422") 08:36:57 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 788.472207][T22095] binder: 22093:22095 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 788.489234][T22095] binder: 22093:22095 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 788.498395][T22095] binder: 22093:22095 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 788.512612][T22095] binder: 22093:22095 got transaction to invalid handle [ 788.521588][T22095] binder: 22093:22095 transaction failed 29201/-22, size 0-32 line 2995 08:36:57 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:57 executing program 4: [ 788.732248][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:57 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) ioctl$VIDIOC_S_EDID(0xffffffffffffffff, 0xc0285629, &(0x7f0000000340)={0x0, 0xfffffffffffffc01, 0x0, [], 0x0}) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) 08:36:57 executing program 3: 08:36:57 executing program 4: [ 788.867239][T22211] binder: 22207:22211 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 788.930568][T22211] binder: 22207:22211 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 788.967468][T22211] binder: 22207:22211 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:57 executing program 3: [ 788.987379][T22211] binder: 22207:22211 got transaction to invalid handle [ 789.006286][T22211] binder: 22207:22211 transaction failed 29201/-22, size 0-32 line 2995 08:36:58 executing program 4: [ 789.284042][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:58 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:58 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) ioctl$VIDIOC_S_EDID(0xffffffffffffffff, 0xc0285629, &(0x7f0000000340)={0x0, 0xfffffffffffffc01, 0x0, [], 0x0}) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) 08:36:58 executing program 2: r0 = socket$inet6(0xa, 0x2000000000001, 0x0) setsockopt$sock_int(r0, 0x1, 0xf, &(0x7f0000687000)=0x5c802861, 0x4) setsockopt$inet6_int(r0, 0x29, 0xb, &(0x7f0000000000)=0x4, 0x4) bind$inet6(r0, &(0x7f0000402000)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) sendto$inet6(r0, 0x0, 0x0, 0xfffffefffffffffe, &(0x7f0000f62fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) 08:36:58 executing program 4: 08:36:58 executing program 3: syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x3a, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x0, 0x0, 0x8}}}}}, 0x0) 08:36:58 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x20, &(0x7f0000000440), &(0x7f0000000480)=[0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 789.625301][T22337] binder: 22336:22337 DecRefs 0 refcount change on invalid ref 2 ret -22 08:36:58 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) connect$inet(r0, &(0x7f0000001380)={0x2, 0x0, @remote}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:36:58 executing program 3: r0 = syz_open_dev$dri(&(0x7f0000000240)='/dev/dri/card#\x00', 0xc72f, 0x0) ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f0000000040)={0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "2a01c0284b1863982eb766a501e119278081f2b2fbe19236d536660a33ded33e"}}) [ 789.708892][T22337] binder: 22336:22337 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 789.758874][T22337] binder: 22336:22337 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:36:58 executing program 2: syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x3) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") setsockopt$inet6_tcp_int(0xffffffffffffffff, 0x6, 0x13, 0x0, 0x0) connect$inet6(0xffffffffffffffff, &(0x7f0000000140)={0xa, 0x0, 0x100000001, @rand_addr, 0x7ff}, 0x1c) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000700)={0xb, 0x6, &(0x7f0000000400)=@framed={{0x18, 0x0, 0x0, 0x0, 0x6, 0x0, 0x0, 0x0, 0x7}, [@call={0x85, 0x0, 0x0, 0x24}, @ldst={0x1, 0x0, 0x3, 0x4, 0x7, 0xffffffffffffffff, 0xffffffffffffffff}, @ldst={0x3, 0x1, 0x3, 0x1, 0x5, 0x1e, 0x10}]}, &(0x7f0000000480)='GPL\x00', 0x7, 0xc6, &(0x7f0000000800)=""/198, 0x41f00, 0x1, [], 0x0, 0xf, 0xffffffffffffffff, 0x8, &(0x7f00000004c0)={0x0, 0x9}, 0x8, 0x10, &(0x7f0000000580)={0x4, 0x1f, 0x7, 0x3ff}, 0x10}, 0x70) bpf$BPF_PROG_DETACH(0x9, &(0x7f00000005c0)={0x0, r1, 0x0, 0x2}, 0x14) setsockopt$inet6_tcp_TCP_ULP(0xffffffffffffffff, 0x6, 0x1f, &(0x7f0000000540)='tls\x00', 0x4) r2 = socket$inet_udplite(0x2, 0x2, 0x88) setsockopt$inet6_IPV6_FLOWLABEL_MGR(0xffffffffffffffff, 0x29, 0x20, &(0x7f0000000240)={@mcast1, 0x7, 0x1, 0x1, 0x4, 0x5, 0x800bdc}, 0xfffffffffffffd75) ioctl(r2, 0x1000008912, &(0x7f00000001c0)="0adc1f123c123f319bc070") r3 = accept4$inet6(0xffffffffffffffff, &(0x7f0000000300)={0xa, 0x0, 0x0, @initdev}, &(0x7f0000000280)=0x29a, 0x800) setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_REM(r3, 0x84, 0x65, &(0x7f0000000600)=[@in={0x2, 0x4e20, @multicast2}, @in6={0xa, 0x4e20, 0x60, @remote, 0x7}, @in6={0xa, 0x4e24, 0x3, @remote, 0x1}, @in={0x2, 0x4e20, @remote}, @in6={0xa, 0x4e22, 0x0, @remote, 0x8}], 0x74) r4 = socket$inet6(0xa, 0x2, 0x0) ioctl$sock_inet6_tcp_SIOCATMARK(0xffffffffffffffff, 0x8905, &(0x7f0000000440)) getsockopt$inet6_int(r4, 0x29, 0x5, &(0x7f0000000000), &(0x7f0000000340)=0x83) r5 = accept(r3, &(0x7f0000000680)=@in={0x2, 0x0, @multicast2}, &(0x7f00000000c0)=0x17) ioctl$sock_bt_cmtp_CMTPGETCONNINFO(r5, 0x800443d3, &(0x7f0000000380)={{0x8001, 0x1000, 0x800, 0x2, 0x84000000, 0x2}, 0x2, 0x5b368c49, 0x9}) ioctl(r0, 0x0, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(0xffffffffffffffff, 0x29, 0x20, &(0x7f0000f68000)={@loopback, 0x800, 0x0, 0xff, 0x1}, 0x20) setsockopt$inet6_int(r3, 0x29, 0x21, &(0x7f0000000200)=0x1, 0xfffffffffffffd60) syz_genetlink_get_family_id$ipvs(&(0x7f0000000780)='IPVS\x00') sendmsg$IPVS_CMD_SET_SERVICE(r5, 0x0, 0x800) setsockopt$TIPC_IMPORTANCE(r5, 0x10f, 0x7f, &(0x7f00000002c0)=0x40003, 0x1) getsockopt$inet6_IPV6_FLOWLABEL_MGR(r3, 0x29, 0x20, &(0x7f00000003c0)={@remote, 0x401, 0x3, 0x1, 0xa, 0x2, 0x2ef}, &(0x7f0000000500)=0x20) unshare(0x10000000) ioctl$sock_inet_SIOCSIFADDR(r4, 0x8916, &(0x7f0000000100)={'syzkaller0\x00', {0x2, 0x4e23, @local}}) r6 = socket$inet6(0xa, 0x3, 0x3a) setsockopt$inet6_MRT6_ADD_MFC(r6, 0x29, 0xcc, &(0x7f0000000040)={{0xa, 0x0, 0x0, @loopback}, {0xa, 0x0, 0x0, @mcast1}, 0x0, [0x8001, 0x0, 0x0, 0x0, 0x0, 0xff]}, 0x5c) [ 789.855443][T22337] binder: 22336:22337 got transaction to invalid handle 08:36:58 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) connect$inet(r0, &(0x7f0000001380)={0x2, 0x0, @remote}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:36:58 executing program 3: r0 = getpid() sched_setscheduler(r0, 0x5, &(0x7f0000000040)) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/kvm\x00', 0x20000000000000, 0x0) r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) syz_open_dev$binder(0x0, 0x0, 0x0) ioctl$KVM_REGISTER_COALESCED_MMIO(r2, 0x4010ae67, &(0x7f0000000400)) write$binfmt_misc(0xffffffffffffffff, &(0x7f00000001c0)={'syz1'}, 0x4) ioctl$KVM_SET_REGS(0xffffffffffffffff, 0x4090ae82, 0x0) ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0) [ 789.914575][T22337] binder: 22336:22337 transaction failed 29201/-22, size 0-32 line 2995 08:36:58 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) ioctl$VIDIOC_S_EDID(0xffffffffffffffff, 0xc0285629, &(0x7f0000000340)={0x0, 0xfffffffffffffc01, 0x0, [], 0x0}) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 790.134221][ T26] audit: type=1400 audit(1556613419.037:77): avc: denied { setopt } for pid=22374 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 790.327402][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:36:59 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:36:59 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) connect$inet(r0, &(0x7f0000001380)={0x2, 0x0, @remote}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:36:59 executing program 2: syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x0, 0x0, @empty=0xac1414bb, @multicast1=0xe0000002}, @udp={0x0, 0x0, 0x8}}}}}, 0x0) 08:36:59 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) ioctl$VIDIOC_S_EDID(0xffffffffffffffff, 0xc0285629, &(0x7f0000000340)={0x0, 0xfffffffffffffc01, 0x0, [], 0x0}) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:36:59 executing program 3: r0 = syz_open_procfs$namespace(0x0, &(0x7f00000001c0)='ns/pid_for_children\x00') r1 = dup2(r0, r0) ioctl$TCSBRK(r1, 0x5409, 0x0) 08:36:59 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:36:59 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) connect$inet(r0, &(0x7f0000001380)={0x2, 0x0, @remote}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:37:00 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:37:00 executing program 2: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) connect$inet(r0, &(0x7f0000001380)={0x2, 0x0, @remote}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0x7f000001, @multicast1}, @udp={0x0, 0x4e21, 0x8}}}}}, 0x0) 08:37:00 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) ioctl$VIDIOC_S_EDID(0xffffffffffffffff, 0xc0285629, &(0x7f0000000340)={0x0, 0xfffffffffffffc01, 0x0, [], 0x0}) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:00 executing program 3: r0 = creat(&(0x7f00000006c0)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x0) ioctl$FICLONERANGE(r0, 0x4020940d, &(0x7f0000000000)={r0}) 08:37:00 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:00 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:00 executing program 2: socket$inet_smc(0x2b, 0x1, 0x0) socket$key(0xf, 0x3, 0x2) socket$inet_udplite(0x2, 0x2, 0x88) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket(0x100000000a, 0x1, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socket$inet(0xa, 0x801, 0x84) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f0000000340)="c462653dce0fbdc52ecd8080000cc4e1ed64338a20d0d0f0408392300000002a6626f243e0ff0070e4c653fb0f450fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f096161787896c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:00 executing program 4: socket$inet(0x2, 0x200000002, 0x0) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:37:00 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) semctl$SEM_STAT(0x0, 0x0, 0x12, 0x0) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 791.515448][T22617] binder: 22612:22617 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 791.542466][T22618] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. 08:37:00 executing program 4: socket$inet(0x2, 0x200000002, 0x0) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) [ 791.605778][T22617] binder: 22612:22617 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 791.639298][T22617] binder: 22612:22617 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 791.729928][T22617] binder: 22612:22617 got transaction to invalid handle [ 791.765503][T22618] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 791.812339][T22617] binder: 22612:22617 transaction failed 29201/-22, size 0-40 line 2995 [ 791.954926][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:37:01 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x0, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:01 executing program 2: r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000300)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f00000000c0)={0x16, 0x18, 0xfa00, @id_resuseaddr={0x0}}, 0x20) 08:37:01 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:01 executing program 4: socket$inet(0x2, 0x200000002, 0x0) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:37:01 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:01 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 792.375992][T22747] binder: 22745:22747 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 792.402016][T22748] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 792.409278][T22747] binder: 22745:22747 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 792.480634][T22747] binder: 22745:22747 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 792.499539][T22747] binder: 22745:22747 got transaction to invalid handle 08:37:01 executing program 4: bind$inet(0xffffffffffffffff, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) [ 792.536093][T22747] binder: 22745:22747 transaction failed 29201/-22, size 0-40 line 2995 08:37:01 executing program 2: r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000300)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f00000000c0)={0x16, 0x18, 0xfa00, @id_resuseaddr={0x0}}, 0x20) 08:37:01 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x6c, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:01 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) semget$private(0x0, 0x3, 0x40) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 792.672012][ T8159] binder: undelivered TRANSACTION_ERROR: 29201 [ 792.760179][T22867] binder: 22865:22867 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 792.791051][T22867] binder: 22865:22867 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 792.829232][T22867] binder: 22865:22867 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:37:01 executing program 4: bind$inet(0xffffffffffffffff, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) [ 792.971872][T22867] binder: 22865:22867 got transaction to invalid handle 08:37:01 executing program 2: r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000300)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f00000000c0)={0x16, 0x18, 0xfa00, @id_resuseaddr={0x0}}, 0x20) 08:37:01 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x0, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:01 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:02 executing program 4: bind$inet(0xffffffffffffffff, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) [ 793.074989][T22867] binder: 22865:22867 transaction failed 29201/-22, size 0-40 line 2995 08:37:02 executing program 4: r0 = socket$inet(0x2, 0x0, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:37:02 executing program 2: r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000300)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f00000000c0)={0x16, 0x18, 0xfa00, @id_resuseaddr={0x0}}, 0x20) [ 793.183560][T22926] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. 08:37:02 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:02 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x6c, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:02 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) [ 793.277959][ T8159] binder: undelivered TRANSACTION_ERROR: 29201 08:37:02 executing program 2: write$RDMA_USER_CM_CMD_SET_OPTION(0xffffffffffffffff, &(0x7f00000000c0)={0x16, 0x18, 0xfa00, @id_resuseaddr={0x0}}, 0x20) [ 793.390192][T23009] binder: 23008:23009 DecRefs 0 refcount change on invalid ref 2 ret -22 08:37:02 executing program 4: r0 = socket$inet(0x2, 0x0, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) [ 793.431676][T23009] binder: 23008:23009 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 793.461913][T23017] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 793.504543][T23009] binder: 23008:23009 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:37:02 executing program 2: write$RDMA_USER_CM_CMD_SET_OPTION(0xffffffffffffffff, &(0x7f00000000c0)={0x16, 0x18, 0xfa00, @id_resuseaddr={0x0}}, 0x20) [ 793.548931][T23009] binder: 23008:23009 got transaction to invalid handle [ 793.574177][T23009] binder: 23008:23009 transaction failed 29201/-22, size 0-40 line 2995 08:37:02 executing program 4: r0 = socket$inet(0x2, 0x0, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) [ 793.903792][ T8159] binder: undelivered TRANSACTION_ERROR: 29201 08:37:03 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x0, 0x737, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:03 executing program 2: write$RDMA_USER_CM_CMD_SET_OPTION(0xffffffffffffffff, &(0x7f00000000c0)={0x16, 0x18, 0xfa00, @id_resuseaddr={0x0}}, 0x20) 08:37:03 executing program 3: syz_mount_image$ntfs(0x0, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:03 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x6c, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:03 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) mq_timedreceive(r1, 0x0, 0x0, 0xe9, &(0x7f0000000140)) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:03 executing program 4: socket$inet(0x2, 0x200000002, 0x0) bind$inet(0xffffffffffffffff, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) [ 794.196918][T23156] binder: 23151:23156 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 794.230380][T23156] binder: 23151:23156 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:03 executing program 4: socket$inet(0x2, 0x200000002, 0x0) bind$inet(0xffffffffffffffff, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) [ 794.258417][T23156] binder: 23151:23156 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 794.279214][T23156] binder: 23151:23156 got transaction to invalid handle [ 794.298450][T23156] binder: 23151:23156 transaction failed 29201/-22, size 0-40 line 2995 08:37:03 executing program 2: r0 = openat$rdma_cm(0xffffffffffffff9c, 0x0, 0x2, 0x0) write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f00000000c0)={0x16, 0x18, 0xfa00, @id_resuseaddr={0x0}}, 0x20) 08:37:03 executing program 3: syz_mount_image$ntfs(0x0, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:03 executing program 4: socket$inet(0x2, 0x200000002, 0x0) bind$inet(0xffffffffffffffff, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:37:03 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:03 executing program 2: r0 = openat$rdma_cm(0xffffffffffffff9c, 0x0, 0x2, 0x0) write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f00000000c0)={0x16, 0x18, 0xfa00, @id_resuseaddr={0x0}}, 0x20) [ 794.706992][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:04 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:04 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, 0x0, 0x0) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:37:04 executing program 3: syz_mount_image$ntfs(0x0, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:04 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x60, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:04 executing program 2: r0 = openat$rdma_cm(0xffffffffffffff9c, 0x0, 0x2, 0x0) write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f00000000c0)={0x16, 0x18, 0xfa00, @id_resuseaddr={0x0}}, 0x20) 08:37:04 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) ioctl$VIDIOC_S_AUDIO(r1, 0x40345622, 0x0) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 795.179838][T23301] binder: 23293:23301 DecRefs 0 refcount change on invalid ref 2 ret -22 08:37:04 executing program 2: openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000300)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) write$RDMA_USER_CM_CMD_SET_OPTION(0xffffffffffffffff, &(0x7f00000000c0)={0x16, 0x18, 0xfa00, @id_resuseaddr={0x0}}, 0x20) 08:37:04 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, 0x0, 0x0) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) [ 795.244420][T23301] binder: 23293:23301 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 795.261476][T23301] binder: 23293:23301 got transaction to invalid handle [ 795.291323][T23301] binder: 23293:23301 transaction failed 29201/-22, size 0-40 line 2995 08:37:04 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x60, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 795.442613][ T8159] binder: undelivered TRANSACTION_ERROR: 29201 08:37:04 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) sendto$inet6(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:04 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:04 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, 0x0, 0x0) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:37:05 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x0, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:05 executing program 2: openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000300)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) write$RDMA_USER_CM_CMD_SET_OPTION(0xffffffffffffffff, &(0x7f00000000c0)={0x16, 0x18, 0xfa00, @id_resuseaddr={0x0}}, 0x20) 08:37:05 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:05 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x60, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:05 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040), 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:37:05 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:05 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040), 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) [ 796.478024][T23545] binder: 23544:23545 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 796.545362][T23545] binder: 23544:23545 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:05 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:05 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:05 executing program 2: openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000300)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) write$RDMA_USER_CM_CMD_SET_OPTION(0xffffffffffffffff, &(0x7f00000000c0)={0x16, 0x18, 0xfa00, @id_resuseaddr={0x0}}, 0x20) [ 796.635096][T23545] binder: 23544:23545 got transaction to invalid handle [ 796.674353][T23545] binder: 23544:23545 transaction failed 29201/-22, size 0-40 line 2995 08:37:05 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040), 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:37:05 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 796.892156][ T8159] binder: undelivered TRANSACTION_ERROR: 29201 [ 796.996808][T23680] binder: 23677:23680 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 797.059046][T23680] binder: 23677:23680 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 797.085209][T23680] binder: 23677:23680 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 797.107019][T23680] binder: 23677:23680 got transaction to invalid handle [ 797.114285][T23680] binder: 23677:23680 transaction failed 29201/-22, size 0-40 line 2995 [ 797.179928][ T8159] binder: undelivered TRANSACTION_ERROR: 29201 08:37:06 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x0, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:06 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:06 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x0, 0x0, 0x0) 08:37:06 executing program 2: r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000300)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) write$RDMA_USER_CM_CMD_SET_OPTION(r0, 0x0, 0x0) 08:37:06 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0) 08:37:06 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x400800, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:06 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x0, 0x0, 0x0) [ 797.426993][T23787] binder: 23786:23787 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 797.441290][T23795] ntfs: (device loop3): ntfs_fill_super(): Unable to determine device size. [ 797.457350][T23787] binder: 23786:23787 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:06 executing program 2: r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000300)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) write$RDMA_USER_CM_CMD_SET_OPTION(r0, 0x0, 0x0) [ 797.512054][T23787] binder: 23786:23787 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 797.521193][T23787] binder: 23786:23787 got transaction to invalid handle [ 797.533819][T23787] binder: 23786:23787 transaction failed 29201/-22, size 0-40 line 2995 08:37:06 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x0, 0x0, 0x0) 08:37:06 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0) 08:37:06 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x0, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:37:06 executing program 2: r0 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000300)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0) write$RDMA_USER_CM_CMD_SET_OPTION(r0, 0x0, 0x0) [ 797.744434][T23912] ntfs: (device loop3): ntfs_fill_super(): Unable to determine device size. [ 797.762759][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:07 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x0, 0xe0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:07 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:07 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0) 08:37:07 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:07 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x0, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) 08:37:07 executing program 2: r0 = socket$inet6(0xa, 0x2000000000001, 0x0) setsockopt$sock_int(r0, 0x1, 0xf, &(0x7f0000687000)=0x5c802861, 0x4) setsockopt$inet6_int(r0, 0x29, 0x100000000002, &(0x7f0000001140)=0x9, 0x4) bind$inet6(r0, &(0x7f0000402000)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) sendto$inet6(r0, 0x0, 0x0, 0xfffffefffffffffe, &(0x7f0000f62fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) getsockopt$inet6_buf(r0, 0x29, 0x6, 0x0, &(0x7f0000f12000)) [ 798.429653][T23940] binder: 23939:23940 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 798.440154][T23942] ntfs: (device loop3): ntfs_fill_super(): Unable to determine device size. [ 798.503365][T23940] binder: 23939:23940 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:07 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x0, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x4e21, 0x8}}}}}, 0x0) [ 798.543856][T23940] binder: 23939:23940 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 798.638559][T23940] binder: 23939:23940 got transaction to invalid handle 08:37:07 executing program 2: r0 = socket$inet6(0xa, 0x2000000000001, 0x0) setsockopt$sock_int(r0, 0x1, 0xf, &(0x7f0000687000)=0x5c802861, 0x4) setsockopt$inet6_int(r0, 0x29, 0x100000000002, &(0x7f0000001140)=0x9, 0x4) bind$inet6(r0, &(0x7f0000402000)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) sendto$inet6(r0, 0x0, 0x0, 0xfffffefffffffffe, &(0x7f0000f62fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) getsockopt$inet6_buf(r0, 0x29, 0x6, 0x0, &(0x7f0000f12000)) [ 798.684623][T23940] binder: 23939:23940 transaction failed 29201/-22, size 0-40 line 2995 08:37:07 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:07 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:07 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x0, 0x4e21, 0x8}}}}}, 0x0) 08:37:07 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x6c, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 798.885617][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 798.908093][T24061] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 798.980737][T24071] binder: 24069:24071 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 798.998421][T24071] binder: 24069:24071 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 799.024791][T24071] binder: 24069:24071 got transaction to invalid handle [ 799.055312][T24071] binder: 24069:24071 transaction failed 29201/-22, size 0-40 line 2995 [ 799.330877][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:08 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0x0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:08 executing program 2: r0 = socket$inet6(0xa, 0x2000000000001, 0x0) setsockopt$sock_int(r0, 0x1, 0xf, &(0x7f0000687000)=0x5c802861, 0x4) setsockopt$inet6_int(r0, 0x29, 0x100000000002, &(0x7f0000001140)=0x9, 0x4) bind$inet6(r0, &(0x7f0000402000)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) sendto$inet6(r0, 0x0, 0x0, 0xfffffefffffffffe, &(0x7f0000f62fe4)={0xa, 0x4e20, 0x0, @loopback}, 0x1c) getsockopt$inet6_buf(r0, 0x29, 0x6, 0x0, &(0x7f0000f12000)) 08:37:08 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:08 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x0, 0x4e21, 0x8}}}}}, 0x0) 08:37:08 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x6c, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:08 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 799.851813][T24187] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. 08:37:08 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x0, 0x4e21, 0x8}}}}}, 0x0) 08:37:08 executing program 2: syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x88, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x0, 0x0, 0x8}}}}}, 0x0) 08:37:09 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x0, 0x8}}}}}, 0x0) 08:37:09 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:09 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x6c, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:09 executing program 2: socket$inet_smc(0x2b, 0x1, 0x0) socket$key(0xf, 0x3, 0x2) socket$inet_udplite(0x2, 0x2, 0x88) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket(0x100000000a, 0x1, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet(0xa, 0x801, 0x0) listen(r0, 0x0) r1 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r1, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f0000000340)="c462653dce0fbdc52ecd8080000cc4e1ed64338a20d0d0f0408392300000002a6626f243e0ff0070e4c653fb0f450fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f096161787896c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") [ 800.385847][T24308] binder: 24306:24308 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 800.424103][T24308] binder: 24306:24308 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 800.453123][T24308] binder: 24306:24308 got transaction to invalid handle [ 800.465864][T24308] binder: 24306:24308 transaction failed 29201/-22, size 0-40 line 2995 [ 800.511319][T24309] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 800.771769][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:09 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0x0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:09 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:09 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x0, 0x8}}}}}, 0x0) 08:37:09 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:09 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:09 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x6c, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 801.073430][T24434] binder: 24431:24434 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 801.116346][T24434] binder: 24431:24434 ERROR: BC_REGISTER_LOOPER called without request [ 801.144592][T24434] binder: 24431:24434 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 801.169785][T24434] binder: 24431:24434 got transaction to invalid handle [ 801.191995][T24434] binder: 24431:24434 transaction failed 29201/-22, size 0-40 line 2995 08:37:10 executing program 4: r0 = socket$inet(0x2, 0x200000002, 0x0) bind$inet(r0, &(0x7f0000000040)={0x2, 0x4004e21}, 0x10) syz_emit_ethernet(0x2a, &(0x7f0000000000)={@link_local, @empty=[0x0, 0x0, 0x14], [], {@ipv4={0x800, {{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty=0xac1414bb, @multicast1}, @udp={0x86ddffff, 0x0, 0x8}}}}}, 0x0) [ 801.236856][T24432] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. 08:37:10 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:10 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x6c, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:10 executing program 4: bpf$MAP_CREATE(0x0, &(0x7f0000012000)={0xe, 0x100000004, 0x4, 0x83d3}, 0x2c) bpf$PROG_LOAD(0x5, &(0x7f0000000480)={0x6, 0x4, &(0x7f0000000040)=@framed={{}, [@jmp={0x5, 0x0, 0x0, 0x0, 0x0, 0x18}]}, &(0x7f0000000080)='GPL\x00', 0x9, 0x82, &(0x7f0000000240)=""/130, 0x0, 0x0, [], 0x0, 0x0, 0xffffffffffffff9c, 0x8, 0x0, 0x0, 0x10, 0x0}, 0x70) [ 801.502453][ T8159] binder: undelivered TRANSACTION_ERROR: 29201 [ 801.587385][T24544] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 801.613810][T24548] binder: 24547:24548 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 801.622807][T24548] binder: 24547:24548 ERROR: BC_REGISTER_LOOPER called without request [ 801.646783][T24548] binder: 24547:24548 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 801.657456][T24548] binder: 24547:24548 got transaction to invalid handle [ 801.672613][T24548] binder: 24547:24548 transaction failed 29201/-22, size 0-40 line 2995 08:37:10 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0xfffffffffffffffd, 0x31, 0xffffffffffffffff, 0x0) ioctl$KVM_ASSIGN_SET_MSIX_NR(r1, 0x4008ae73, &(0x7f0000000040)) [ 801.696546][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:37:10 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x6c, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 801.928210][T24561] binder: 24558:24561 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 801.954794][T24561] binder: 24558:24561 ERROR: BC_REGISTER_LOOPER called without request [ 801.963566][T24561] binder: 24558:24561 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 801.971517][T24561] binder: 24558:24561 got transaction to invalid handle [ 801.978596][T24561] binder: 24558:24561 transaction failed 29201/-22, size 0-40 line 2995 [ 801.993826][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:11 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0x0, 0x6, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:11 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@nls={'nls', 0x3d, 'cp866'}}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:11 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0xfffffffffffffffd, 0x31, 0xffffffffffffffff, 0x0) ioctl$KVM_DEASSIGN_DEV_IRQ(r1, 0x4040ae75, &(0x7f0000000040)) 08:37:11 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:11 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:11 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x68, 0x0, &(0x7f00000004c0)=[@enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 802.375632][T24571] binder: 24570:24571 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 802.387042][T24576] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 802.428979][T24571] binder: 24570:24571 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 802.453861][T24571] binder: 24570:24571 got transaction to invalid handle [ 802.471042][T24571] binder: 24570:24571 transaction failed 29201/-22, size 0-40 line 2995 08:37:11 executing program 4: r0 = creat(&(0x7f0000000440)='./file0\x00', 0x20000000000003f) write$binfmt_elf64(r0, &(0x7f0000000000)=ANY=[@ANYBLOB="7f454c18df1f06ff070000000000000002000300140000004703000000000000408f8d80be2d3a7e370000000000000001000000945fa5e1aa22ca343eefb2ff"], 0x40) uselib(&(0x7f0000000300)='./file0\x00') 08:37:11 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:11 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x68, 0x0, &(0x7f00000004c0)=[@enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 802.633201][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:11 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_TSS_ADDR(r1, 0xae47, 0xd000) ioctl$KVM_ASSIGN_PCI_DEVICE(0xffffffffffffffff, 0x8040ae69, &(0x7f0000000000)={0x1, 0x3, 0x0, 0x0, 0xfffffffffffffffe}) ioctl$KVM_RUN(r2, 0xae80, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 802.716635][T24689] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 802.748319][T24693] binder: 24691:24693 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:11 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 802.765242][T24693] binder: 24691:24693 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 802.773440][T24693] binder: 24691:24693 got transaction to invalid handle [ 802.781107][T24693] binder: 24691:24693 transaction failed 29201/-22, size 0-40 line 2995 08:37:11 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) [ 802.944519][T24781] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 803.037387][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:37:12 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x0, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:12 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x68, 0x0, &(0x7f00000004c0)=[@enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:12 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:12 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@mft_zone_multiplier={'mft_zone_multiplier'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:12 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:12 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 803.551106][T24825] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 803.570368][T24830] binder: 24819:24830 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 803.598604][T24830] binder: 24819:24830 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 803.615019][T24830] binder: 24819:24830 got transaction to invalid handle [ 803.622959][T24830] binder: 24819:24830 transaction failed 29201/-22, size 0-40 line 2995 08:37:12 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:12 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:12 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 803.790938][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 803.824319][T24938] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 803.901653][T24943] binder: 24942:24943 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 803.916457][T24943] binder: 24942:24943 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 803.925705][T24943] binder: 24942:24943 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 803.940263][T24943] binder: 24942:24943 got transaction to invalid handle [ 803.948148][T24943] binder: 24942:24943 transaction failed 29201/-22, size 0-40 line 2995 08:37:12 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:12 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:13 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 804.171189][T25057] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 804.194839][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:13 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x0, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:13 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:13 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:13 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:13 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:13 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 804.649474][T25078] binder: 25069:25078 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 804.655085][T25075] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. 08:37:13 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r0, 0x6430) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 804.702026][T25078] binder: 25069:25078 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 804.733959][T25078] binder: 25069:25078 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 804.816101][T25078] binder: 25069:25078 got transaction to invalid handle 08:37:13 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}, {@fsname={'fsname', 0x3d, 'ntfs\x00'}}]}) 08:37:13 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_SIGNAL_MASK(0xffffffffffffffff, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) [ 804.868058][T25078] binder: 25069:25078 transaction failed 29201/-22, size 0-40 line 2995 [ 804.954937][T25187] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. 08:37:13 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:13 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_SIGNAL_MASK(0xffffffffffffffff, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:14 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 805.099771][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 805.189629][T25205] binder: 25203:25205 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 805.231800][T25205] binder: 25203:25205 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 805.297772][T25205] binder: 25203:25205 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 805.350834][T25205] binder: 25203:25205 got transaction to invalid handle [ 805.373518][T25205] binder: 25203:25205 transaction failed 29201/-22, size 0-40 line 2995 [ 805.457102][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:14 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x0, 0x7, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:14 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:14 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_SIGNAL_MASK(0xffffffffffffffff, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:14 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}, {@obj_user={'obj_user', 0x3d, 'ntfs\x00'}}]}) 08:37:14 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x0, 0x0, 0x0}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:14 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 805.880114][T25320] binder: 25316:25320 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 805.887962][T25321] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 805.902770][T25320] binder: 25316:25320 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:14 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:14 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 805.996233][T25320] binder: 25316:25320 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 806.023211][T25320] binder: 25316:25320 got transaction to invalid handle [ 806.064350][T25320] binder: 25316:25320 transaction failed 29201/-22, size 0-40 line 2995 08:37:15 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}], [{@smackfsroot={'smackfsroot', 0x3d, 'ntfs\x00'}}]}) 08:37:15 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x0, 0x0, 0x0}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:15 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x60c341, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 806.180429][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:15 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) [ 806.270184][T25447] binder: 25445:25447 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 806.290655][T25448] ntfs: (device loop3): parse_options(): Unrecognized mount option smackfsroot. [ 806.371889][T25447] binder: 25445:25447 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 806.384890][T25447] binder: 25445:25447 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 806.395089][T25447] binder: 25445:25447 got transaction to invalid handle [ 806.421791][T25447] binder: 25445:25447 transaction failed 29201/-22, size 0-40 line 2995 [ 806.677828][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:15 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:15 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:15 executing program 3: syz_mount_image$ntfs(&(0x7f0000000000)='ntfs\x00', &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0, 0x0, &(0x7f0000001600)={[{@disable_sparse_no='disable_sparse=no'}, {@nls={'nls', 0x3d, 'cp866'}}, {@errors_continue='errors=continue'}, {@umask={'umask'}}]}) 08:37:15 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x0, 0x0, 0x0}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:15 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 806.853619][T25563] binder: 25562:25563 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 806.868374][T25563] binder: 25562:25563 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 806.877757][T25563] binder: 25562:25563 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 806.885858][T25563] binder: 25562:25563 got transaction to invalid handle [ 806.893158][T25563] binder: 25562:25563 transaction failed 29201/-22, size 0-40 line 2995 [ 806.919211][T25568] ntfs: (device loop3): parse_options(): Unrecognized mount option . 08:37:15 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:16 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x0, 0x0, &(0x7f0000000540)}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:16 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 807.093646][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:37:16 executing program 4: openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r0, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:16 executing program 3: ioctl(0xffffffffffffffff, 0x0, 0x0) r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) sysfs$1(0x1, 0x0) getsockopt$sock_timeval(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) socketpair(0x0, 0x0, 0x0, 0x0) ioctl$sock_SIOCSIFBR(0xffffffffffffffff, 0x8941, 0x0) write$P9_RUNLINKAT(0xffffffffffffffff, 0x0, 0x0) r1 = openat$dir(0xffffffffffffff9c, 0x0, 0x8407e, 0x40000000000b) bpf$BPF_TASK_FD_QUERY(0x14, 0x0, 0x0) ptrace$getregs(0xffffffffffffffff, 0x0, 0x0, 0x0) ioctl$sock_FIOGETOWN(r0, 0x8903, &(0x7f0000000000)=0x0) r3 = getpid() tgkill(r2, r3, 0x10) ioctl$EXT4_IOC_PRECACHE_EXTENTS(0xffffffffffffffff, 0x6612) recvmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) r4 = perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) prctl$PR_GET_KEEPCAPS(0x7) perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) recvmmsg(0xffffffffffffffff, &(0x7f0000001440)=[{{0x0, 0x0, &(0x7f00000000c0)=[{&(0x7f0000005a00)=""/4096, 0x1000}], 0x1, &(0x7f0000000480)=""/38, 0x26}, 0x8}], 0x1, 0x0, 0x0) r5 = dup3(r4, r0, 0x80000) getsockopt$inet6_IPV6_XFRM_POLICY(r4, 0x29, 0x23, &(0x7f0000000100)={{{@in=@loopback, @in=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@dev}, 0x0, @in6=@remote}}, &(0x7f0000000200)=0xe8) setsockopt$inet_mreqn(r5, 0x0, 0x20, &(0x7f0000000240)={@broadcast, @rand_addr=0x7fff, r6}, 0xc) ioctl$sock_inet_SIOCSIFADDR(r1, 0x8916, 0x0) ioctl$KVM_ASSIGN_DEV_IRQ(0xffffffffffffffff, 0x4040ae70, 0x0) ioctl$sock_inet_tcp_SIOCOUTQ(0xffffffffffffffff, 0x5411, 0x0) recvmmsg(0xffffffffffffffff, &(0x7f0000001100)=[{{&(0x7f0000000ac0)=@alg, 0x80, &(0x7f0000000e40)=[{&(0x7f0000003540)=""/4096, 0x1000}, {&(0x7f0000000b40)=""/71, 0x47}, {&(0x7f0000004540)=""/4096, 0x1000}, {&(0x7f0000000c40)=""/30, 0x1d}, {&(0x7f0000006a00)=""/4096, 0x1000}, {&(0x7f0000000c80)=""/83, 0x53}, {&(0x7f0000000d00)=""/108, 0x6c}], 0x386}}], 0x1, 0x0, &(0x7f0000000ec0)={0x77359400}) r7 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r7, &(0x7f0000942000)={0x2, 0x4e20}, 0x10) setsockopt$sock_int(r7, 0x1, 0x3c, &(0x7f0000d4effc)=0x1, 0x4) connect$inet(r7, &(0x7f0000606ff0)={0x2, 0x4e20, @loopback}, 0x10) sendmmsg(r7, &(0x7f00000010c0)=[{{&(0x7f0000000bc0)=@in6={0xa, 0x0, 0x0, @mcast1={0xff, 0x1, [0x0, 0x0, 0x0, 0x0, 0x0, 0x7ffff000]}}, 0x80, &(0x7f0000000d40), 0x116, &(0x7f0000000d80)}}], 0x6d7, 0x40400d4) [ 807.245571][T25685] binder: 25683:25685 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 807.306483][T25685] binder: 25683:25685 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 807.416228][T25685] binder: 25683:25685 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:37:16 executing program 4: openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r0, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) [ 807.461572][T25685] binder: 25683:25685 got transaction to invalid handle [ 807.468612][T25685] binder: 25683:25685 transaction failed 29201/-22, size 0-40 line 2995 08:37:16 executing program 3: [ 807.612658][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:16 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:16 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x0, 0x0, &(0x7f0000000540)}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:16 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:16 executing program 4: openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r0 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r0, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:16 executing program 3: 08:37:16 executing program 3: [ 807.990722][T25811] binder: 25805:25811 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 807.999534][T25811] binder: 25805:25811 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 808.008765][T25811] binder: 25805:25811 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 808.016987][T25811] binder: 25805:25811 got transaction to invalid handle [ 808.024473][T25811] binder: 25805:25811 transaction failed 29201/-22, size 0-40 line 2995 08:37:17 executing program 3: 08:37:17 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:17 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x0, 0x0, &(0x7f0000000540)}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:17 executing program 4: r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r1, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) [ 808.218639][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:37:17 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:17 executing program 3: [ 808.369692][T25925] binder: 25921:25925 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 808.394855][T25925] binder: 25921:25925 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 808.465267][T25925] binder: 25921:25925 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 808.570273][T25925] binder: 25921:25925 got transaction to invalid handle [ 808.612996][T25925] binder: 25921:25925 transaction failed 29201/-22, size 0-40 line 2995 [ 808.830866][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:18 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:18 executing program 4: r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r1, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:18 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:18 executing program 3: 08:37:18 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_open_dev$video(&(0x7f0000000000)='/dev/video#\x00', 0x0, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:18 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x1d, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:18 executing program 3: [ 809.198190][T26047] binder: 26046:26047 DecRefs 0 refcount change on invalid ref 2 ret -22 08:37:18 executing program 4: r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r1, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:18 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 809.291906][T26047] binder: 26046:26047 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:18 executing program 3: [ 809.369611][T26047] binder: 26046:26047 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 809.402982][T26047] binder: 26046:26047 got transaction to invalid handle 08:37:18 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) [ 809.420031][T26047] binder: 26046:26047 transaction failed 29201/-22, size 0-40 line 2995 08:37:18 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(0xffffffffffffffff, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 809.648532][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:18 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x0, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:18 executing program 3: 08:37:18 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:18 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:18 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x1d, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:18 executing program 3: 08:37:18 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) [ 810.027876][T26184] binder: 26179:26184 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 810.114886][T26184] binder: 26179:26184 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 810.165182][T26184] binder: 26179:26184 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:37:19 executing program 4: openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r1, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) [ 810.237395][T26184] binder: 26179:26184 got transaction to invalid handle [ 810.307227][T26184] binder: 26179:26184 transaction failed 29201/-22, size 0-40 line 2995 08:37:19 executing program 3: 08:37:19 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) mount(0x0, &(0x7f0000000080)='./file0\x00', 0x0, 0x0, 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:19 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(0xffffffffffffffff, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:19 executing program 4: openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r1, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) [ 810.597697][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:20 executing program 3: 08:37:20 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x1d, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:20 executing program 4: openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r1, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:20 executing program 5: mkdir(&(0x7f0000000040)='./file0\x00', 0x0) syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:20 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x0, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:20 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:20 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x10, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) [ 811.185736][T26322] binder: 26317:26322 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 811.336165][T26322] binder: 26317:26322 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:20 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:20 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(0xffffffffffffffff, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 811.413184][T26322] binder: 26317:26322 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 08:37:20 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x10, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) [ 811.510149][T26322] binder: 26317:26322 got transaction to invalid handle [ 811.548900][T26322] binder: 26317:26322 transaction failed 29201/-22, size 0-40 line 2995 08:37:20 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:20 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x2b, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 811.730824][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:20 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x10, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:20 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") [ 811.822620][T26450] binder: 26449:26450 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 811.865438][T26450] binder: 26449:26450 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 811.954455][T26450] binder: 26449:26450 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 812.024700][T26450] binder: 26449:26450 got transaction to invalid handle [ 812.032541][T26450] binder: 26449:26450 transaction failed 29201/-22, size 0-40 line 2995 08:37:21 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:21 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r1, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) [ 812.281664][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:37:21 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x0, 0x1, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:21 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:21 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x2b, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:21 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r1, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:21 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:21 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 812.551924][T26577] binder: 26576:26577 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 812.562922][T26577] binder: 26576:26577 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 812.572634][T26577] binder: 26576:26577 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 812.583947][T26577] binder: 26576:26577 got transaction to invalid handle 08:37:21 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r1, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:21 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:21 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") [ 812.639475][T26577] binder: 26576:26577 transaction failed 29201/-22, size 0-40 line 2995 08:37:21 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:21 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(0xffffffffffffffff, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:21 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 812.992644][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:37:22 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:22 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:22 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x2b, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:22 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(0xffffffffffffffff, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:22 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:22 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 813.577504][T26718] binder: 26710:26718 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 813.593808][T26718] binder: 26710:26718 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 813.605039][T26718] binder: 26710:26718 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 813.625801][T26718] binder: 26710:26718 got transaction to invalid handle [ 813.636381][T26718] binder: 26710:26718 transaction failed 29201/-22, size 0-40 line 2995 08:37:22 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:22 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(0xffffffffffffffff, 0x4004ae8b, &(0x7f0000001240)=ANY=[]) 08:37:22 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:22 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x32, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:22 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") [ 813.807356][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 813.900136][T26833] binder: 26830:26833 DecRefs 0 refcount change on invalid ref 2 ret -22 08:37:22 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 813.964767][T26833] binder: 26830:26833 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 814.043125][T26833] binder: 26830:26833 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 814.087524][T26833] binder: 26830:26833 got transaction to invalid handle [ 814.108121][T26833] binder: 26830:26833 transaction failed 29201/-22, size 0-40 line 2995 [ 814.182549][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:23 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:23 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, 0x0) 08:37:23 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) ioctl(0xffffffffffffffff, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:23 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x32, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:23 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:23 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 814.520175][T26957] binder: 26951:26957 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 814.543301][T26957] binder: 26951:26957 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:23 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") [ 814.568929][T26957] binder: 26951:26957 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 814.606134][T26957] binder: 26951:26957 got transaction to invalid handle 08:37:23 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:23 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, 0x0) [ 814.638657][T26957] binder: 26951:26957 transaction failed 29201/-22, size 0-40 line 2995 08:37:23 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x32, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:23 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 814.801999][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 814.893399][T27073] binder: 27071:27073 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 814.924089][T27073] binder: 27071:27073 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 814.964693][T27073] binder: 27071:27073 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 814.988264][T27073] binder: 27071:27073 got transaction to invalid handle 08:37:23 executing program 4: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x0, 0x31, 0xffffffffffffffff, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_SIGNAL_MASK(r2, 0x4004ae8b, 0x0) [ 815.008443][T27073] binder: 27071:27073 transaction failed 29201/-22, size 0-40 line 2995 [ 815.187422][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:24 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x0, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:24 executing program 4: syz_open_dev$sndctrl(0x0, 0x0, 0x0) read$rfkill(0xffffffffffffffff, 0x0, 0x0) openat$mixer(0xffffffffffffff9c, &(0x7f0000000140)='/dev/mixer\x00', 0x0, 0x0) ioctl$VHOST_GET_FEATURES(0xffffffffffffffff, 0x80044dfe, 0x0) fchdir(0xffffffffffffffff) sched_setattr(0x0, &(0x7f0000000080)={0x0, 0x2, 0x0, 0x0, 0x3}, 0x0) fsync(0xffffffffffffffff) r0 = open(&(0x7f0000000240)='./file0\x00', 0x40c2, 0x0) r1 = open$dir(&(0x7f0000000600)='./file0\x00', 0x4000, 0x0) write(r0, &(0x7f0000000400)="34fd98aa1d0e7adec937a5f331a75f487934f50242a0751944936972896c29a5068c8ecba1aa0a4e2a631b5180e1fbde79f4502dc4c4a1fba9dcd9ed83e639aefa1b87631c33d1a82cb0c0035676ddfeb0fe7984d7519b0f839d497fc9d64ef14d1de22220ff2623df4950134b9fb734a52adad95f131cce3672a9d7d7b400d2c62810b5f20351639330948107bf8d4534a03ac389455c54d8eb4d609b3e858b7213b38eb01f0eeaba3739ae927916e28da6a79a3fd5e32d30ab30bf959d4596e5ffbff6789a650b9e7d248d1ba849012336a4f3ef8fab07a8f5b81bb0bc45b2174538315ca12b7c723b2157562564a8a1f19d28179f8c565448e0e921b8c3e6fc4adaafa8b929ad077f633325b6a6f71a586cabc4883e03e19315f946b277858593a7367e232202fe9ad656c6768a1517da7f0498b48cb078e929fb11db0cc551f754bffc4859dd89a396915cc809b07d448573098409ea21371056f67ef4114ec10547f498d24513fe594308bf022868ad21e85bba811942fdc45161a1a8a7fe00d5c6b05ed7954f631bbd12a5c9a5cfa5965e0595de608b04ebe02b3fcbf3b9f57807a1a7ad8528992e2ec65949da2f4a0478dfd3ae52639c15d8aeaa351da6d393b58c772168fae604d097fef4d6b9360eb169a0b0ee70cdc22435a003e68698f61b3b63b1f51011bc8f4ef944c1de821785f670124a1c6ed18335d63412", 0x200) sendfile(r0, r1, 0x0, 0xc700000e) 08:37:24 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:24 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x36, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:24 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:24 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") [ 815.582334][T27192] binder: 27191:27192 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 815.613308][ T26] audit: type=1800 audit(1556613444.527:78): pid=27198 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=17729 res=0 [ 815.624086][T27192] binder: 27191:27192 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:24 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:24 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 815.686032][T27192] binder: 27191:27192 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 815.702807][ T26] audit: type=1804 audit(1556613444.557:79): pid=27198 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir607269013/syzkaller.N27Gti/1218/file0" dev="sda1" ino=17729 res=1 [ 815.752766][T27192] binder: 27191:27192 got transaction to invalid handle [ 815.801852][T27192] binder: 27191:27192 transaction failed 29201/-22, size 0-40 line 2995 08:37:24 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 815.842835][ T26] audit: type=1800 audit(1556613444.557:80): pid=27198 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=17729 res=0 08:37:24 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:24 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:24 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x36, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 816.052208][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 816.175057][T27322] binder: 27320:27322 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 816.204661][T27322] binder: 27320:27322 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 816.271258][T27322] binder: 27320:27322 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 816.308340][T27322] binder: 27320:27322 got transaction to invalid handle [ 816.332236][T27322] binder: 27320:27322 transaction failed 29201/-22, size 0-40 line 2995 [ 816.403567][ T26] audit: type=1804 audit(1556613445.317:81): pid=27384 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir607269013/syzkaller.N27Gti/1218/file0" dev="sda1" ino=17729 res=1 [ 816.503158][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 816.509669][ T26] audit: type=1800 audit(1556613445.317:82): pid=27384 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=17729 res=0 08:37:25 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x0, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:25 executing program 4: syz_open_dev$sndctrl(0x0, 0x0, 0x0) read$rfkill(0xffffffffffffffff, 0x0, 0x0) r0 = openat$full(0xffffffffffffff9c, &(0x7f0000000040)='/dev/full\x00', 0x40, 0x0) ioctl(0xffffffffffffffff, 0x0, 0x0) openat$mixer(0xffffffffffffff9c, &(0x7f0000000140)='/dev/mixer\x00', 0x0, 0x0) ioctl$VHOST_GET_FEATURES(0xffffffffffffffff, 0x80044dfe, 0x0) syz_mount_image$msdos(&(0x7f0000000340)='msdos\x00', &(0x7f0000000280)='./file0\x00', 0xe800, 0x1, &(0x7f0000000180)=[{&(0x7f0000000000)="eb3c906d6b66732e66617400020401000200027400f8", 0x16}], 0x0, 0x0) r1 = open(&(0x7f0000000100)='./file0\x00', 0x0, 0x0) fchdir(r1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) setsockopt$MISDN_TIME_STAMP(0xffffffffffffffff, 0x0, 0x1, 0x0, 0x0) sched_setattr(0x0, &(0x7f0000000080)={0x0, 0x2, 0x0, 0x0, 0x3}, 0x0) fsync(r0) r2 = open(&(0x7f0000000240)='./file0\x00', 0x40c2, 0x0) r3 = open$dir(&(0x7f0000000600)='./file0\x00', 0x4000, 0x0) ioctl$PERF_EVENT_IOC_SET_FILTER(0xffffffffffffffff, 0x40082406, 0x0) write(r2, &(0x7f0000000400)="34fd98aa1d0e7adec937a5f331a75f487934f50242a0751944936972896c29a5068c8ecba1aa0a4e2a631b5180e1fbde79f4502dc4c4a1fba9dcd9ed83e639aefa1b87631c33d1a82cb0c0035676ddfeb0fe7984d7519b0f839d497fc9d64ef14d1de22220ff2623df4950134b9fb734a52adad95f131cce3672a9d7d7b400d2c62810b5f20351639330948107bf8d4534a03ac389455c54d8eb4d609b3e858b7213b38eb01f0eeaba3739ae927916e28da6a79a3fd5e32d30ab30bf959d4596e5ffbff6789a650b9e7d248d1ba849012336a4f3ef8fab07a8f5b81bb0bc45b2174538315ca12b7c723b2157562564a8a1f19d28179f8c565448e0e921b8c3e6fc4adaafa8b929ad077f633325b6a6f71a586cabc4883e03e19315f946b277858593a7367e232202fe9ad656c6768a1517da7f0498b48cb078e929fb11db0cc551f754bffc4859dd89a396915cc809b07d448573098409ea21371056f67ef4114ec10547f498d24513fe594308bf022868ad21e85bba811942fdc45161a1a8a7fe00d5c6b05ed7954f631bbd12a5c9a5cfa5965e0595de608b04ebe02b3fcbf3b9f57807a1a7ad8528992e2ec65949da2f4a0478dfd3ae52639c15d8aeaa351da6d393b58c772168fae604d097fef4d6b9360eb169a0b0ee70cdc22435a003e68698f61b3b63b1f51011bc8f4ef944c1de821785f670124a1c6ed18335d63412", 0x200) sendfile(r2, r3, 0x0, 0xc700000e) 08:37:25 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:25 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:25 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:25 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x36, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 816.787349][T27439] binder: 27438:27439 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 816.803153][T27439] binder: 27438:27439 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:25 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 816.877942][T27439] binder: 27438:27439 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 816.881533][ T26] audit: type=1800 audit(1556613445.787:83): pid=27444 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=17474 res=0 [ 816.952654][T27439] binder: 27438:27439 got transaction to invalid handle [ 817.003370][T27439] binder: 27438:27439 transaction failed 29201/-22, size 0-40 line 2995 08:37:25 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) bind$unix(0xffffffffffffffff, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(0xffffffffffffffff, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r1 = accept(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 817.029661][ T26] audit: type=1804 audit(1556613445.827:84): pid=27444 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir607269013/syzkaller.N27Gti/1219/file0/file0" dev="sda1" ino=17474 res=1 [ 817.089324][ T26] audit: type=1800 audit(1556613445.827:85): pid=27444 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=17474 res=0 08:37:26 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) bind$unix(0xffffffffffffffff, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(0xffffffffffffffff, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r1 = accept(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:26 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x38, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec0"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:26 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) bind$unix(0xffffffffffffffff, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(0xffffffffffffffff, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r1 = accept(0xffffffffffffffff, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 817.258208][T13002] binder: undelivered TRANSACTION_ERROR: 29201 08:37:26 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 817.359731][T27562] binder: 27561:27562 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 817.421231][T27562] binder: 27561:27562 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 817.444651][T27562] binder: 27561:27562 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 817.482189][T27562] binder: 27561:27562 got transaction to invalid handle [ 817.499996][T27562] binder: 27561:27562 transaction failed 29201/-22, size 0-40 line 2995 [ 817.584334][ T26] audit: type=1804 audit(1556613446.497:86): pid=27444 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir607269013/syzkaller.N27Gti/1219/file0/file0" dev="sda1" ino=17474 res=1 [ 817.641235][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 817.713402][ T26] audit: type=1804 audit(1556613446.547:87): pid=27671 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir607269013/syzkaller.N27Gti/1219/file0/file0" dev="sda1" ino=17474 res=1 08:37:26 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x38, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec0"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) 08:37:26 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) bind$unix(r0, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r0, 0x0) connect$unix(0xffffffffffffffff, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r1 = accept(r0, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(0xffffffffffffffff, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:26 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:26 executing program 4: read$rfkill(0xffffffffffffffff, 0x0, 0x0) openat$full(0xffffffffffffff9c, 0x0, 0x40, 0x0) ioctl$VHOST_GET_FEATURES(0xffffffffffffffff, 0x80044dfe, 0x0) r0 = open(&(0x7f0000000100)='./file0\x00', 0x0, 0x0) fchdir(r0) setsockopt$MISDN_TIME_STAMP(0xffffffffffffffff, 0x0, 0x1, 0x0, 0x0) sched_setattr(0x0, &(0x7f0000000080)={0x0, 0x2, 0x0, 0x0, 0x3}, 0x0) r1 = open(&(0x7f0000000240)='./file0\x00', 0x40c2, 0x0) r2 = open$dir(&(0x7f0000000600)='./file0\x00', 0x4000, 0x0) write(r1, &(0x7f0000000400)="34fd98aa1d0e7adec937a5f331a75f487934f50242a0751944936972896c29a5068c8ecba1aa0a4e2a631b5180e1fbde79f4502dc4c4a1fba9dcd9ed83e639aefa1b87631c33d1a82cb0c0035676ddfeb0fe7984d7519b0f839d497fc9d64ef14d1de22220ff2623df4950134b9fb734a52adad95f131cce3672a9d7d7b400d2c62810b5f20351639330948107bf8d4534a03ac389455c54d8eb4d609b3e858b7213b38eb01f0eeaba3739ae927916e28da6a79a3fd5e32d30ab30bf959d4596e5ffbff6789a650b9e7d248d1ba849012336a4f3ef8fab07a8f5b81bb0bc45b2174538315ca12b7c723b2157562564a8a1f19d28179f8c565448e0e921b8c3e6fc4adaafa8b929ad077f633325b6a6f71a586cabc4883e03e19315f946b277858593a7367e232202fe9ad656c6768a1517da7f0498b48cb078e929fb11db0cc551f754bffc4859dd89a396915cc809b07d448573098409ea21371056f67ef4114ec10547f498d24513fe594308bf022868ad21e85bba811942fdc45161a1a8a7fe00d5c6b05ed7954f631bbd12a5c9a5cfa5965e0595de608b04ebe02b3fcbf3b9f57807a1a7ad8528992e2ec65949da2f4a0478dfd3ae52639c15d8aeaa351da6d393b58c772168fae604d097fef4d6b9360eb169a0b0ee70cdc22435a003e68698f61b3b63b1f51011bc8f4ef944c1de821785f670124a1c6ed18335d63412", 0x200) sendfile(r1, r2, 0x0, 0xc700000e) 08:37:26 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x0, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:26 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 818.099141][T27688] binder: 27679:27688 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 818.107684][T27688] binder: 27679:27688 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER [ 818.294509][T27688] binder: 27679:27688 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 818.303183][T27688] binder: 27679:27688 got transaction to invalid handle [ 818.311630][T27688] binder: 27679:27688 transaction failed 29201/-22, size 0-40 line 2995 08:37:27 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x38, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec0"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, &(0x7f00000005c0)='/dev/binder#\x00', 0xd) [ 818.348854][T13002] binder: undelivered TRANSACTION_ERROR: 29201 [ 818.425247][T27797] binder: 27796:27797 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 818.448123][T27797] binder: 27796:27797 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:27 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 818.479947][T27797] binder: 27796:27797 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 818.504138][T27797] binder: 27796:27797 got transaction to invalid handle [ 818.530767][T27797] binder: 27796:27797 transaction failed 29201/-22, size 0-40 line 2995 08:37:27 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, 0x0, 0x0) [ 818.710703][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 818.796322][T27905] binder: 27904:27905 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 818.818190][T27905] binder: 27904:27905 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:27 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) bind$unix(r0, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r0, 0x0) connect$unix(0xffffffffffffffff, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r1 = accept(r0, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(0xffffffffffffffff, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:27 executing program 4: perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x1c5243, 0x0) [ 818.872145][T27905] binder: 27904:27905 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 818.886582][T27905] binder: 27904:27905 got transaction to invalid handle [ 818.894199][T27905] binder: 27904:27905 transaction failed 29201/-22, size 0-40 line 2995 08:37:27 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:27 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, 0x0, 0x0) [ 819.058213][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:28 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 819.120078][T28022] binder: 28021:28022 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 819.147735][T28022] binder: 28021:28022 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:28 executing program 4: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 819.210532][T28022] binder: 28021:28022 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 819.245929][T28022] binder: 28021:28022 got transaction to invalid handle [ 819.253153][T28022] binder: 28021:28022 transaction failed 29201/-22, size 0-40 line 2995 08:37:28 executing program 0: syz_open_dev$binder(&(0x7f0000000040)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000580)={0x70, 0x0, &(0x7f00000004c0)=[@decrefs={0x40046307, 0x2}, @enter_looper, @register_looper, @request_death={0x400c630e, 0x0, 0x2}, @exit_looper, @transaction_sg={0x40486311, {{0x2, 0x0, 0x2, 0x0, 0x11, 0x0, 0x0, 0x0, 0x28, &(0x7f0000000440), &(0x7f0000000480)=[0x0, 0x18, 0x30, 0x38, 0x0]}, 0x5}}], 0x39, 0x0, &(0x7f0000000540)="daf0862ca3e65a0cc61e2fb601d8a6e3c7f5591e2a7da1748d0f231f4f46d87b523c176763a5da1420c2ea3ea98ab03bcba3652f5cdd5ec01c"}) setsockopt$RXRPC_SECURITY_KEY(0xffffffffffffffff, 0x110, 0x1, 0x0, 0x0) 08:37:28 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x3, 0x0, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) [ 819.436507][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 819.505633][T28133] binder: 28132:28133 DecRefs 0 refcount change on invalid ref 2 ret -22 [ 819.529143][T28133] binder: 28132:28133 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER 08:37:28 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 819.550091][T28133] binder: 28132:28133 got transaction to invalid handle [ 819.565439][T28133] binder: 28132:28133 transaction failed 29201/-22, size 0-40 line 2995 08:37:28 executing program 4: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:28 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:28 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) bind$unix(r0, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r0, 0x0) connect$unix(0xffffffffffffffff, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r1 = accept(r0, 0x0, 0x0) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(0xffffffffffffffff, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 819.798947][ T17] binder: undelivered TRANSACTION_ERROR: 29201 08:37:28 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:28 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:29 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:29 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:29 executing program 0: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:29 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:29 executing program 2: r0 = socket$unix(0x1, 0x0, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:29 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x3, 0x0, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:29 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:29 executing program 0: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:29 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:30 executing program 0: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:30 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:30 executing program 2: r0 = socket$unix(0x1, 0x0, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:30 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:30 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:30 executing program 0: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:30 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:31 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x3, 0x0, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:31 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x0, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:31 executing program 0: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:31 executing program 2: r0 = socket$unix(0x1, 0x0, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:31 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x0, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:31 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x0, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:31 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) socket$inet_udp(0x2, 0x2, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:31 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x10, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:32 executing program 4: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x3, 0xab3, 0x7fff, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:32 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x3, 0xab3, 0x0, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:32 executing program 0: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:32 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x0, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:32 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:32 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x10, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:32 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x0, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:33 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x0, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:33 executing program 0: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:33 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(0xffffffffffffffff, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:33 executing program 3: inotify_init1(0x0) socket$inet_udplite(0x2, 0x2, 0x88) socket(0x100000000a, 0x1, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000180)='/dev/null\x00', 0x0, 0x0) socket$inet_udplite(0x2, 0x2, 0x88) openat$hwrng(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng\x00', 0x0, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl(r0, 0x1000008912, &(0x7f0000000000)="0adc1f123c123f319bd070") syz_execute_func(&(0x7f00000000c0)="c462653dce0fbdc52ecd8080020cc4e1ed64338a20d0d0f040839230f000002a6626f243e0ff0070e4c653fb0f458fbd27a95f5744be3c3b6446ddcb8f48508e307b8f69289bd19d670f381d6a2f67450f483bd1d97c7c63460f09616196c401fe5ff666410fd7cae1b1c402010804f466400f38f556f6892a009f") 08:37:33 executing program 1: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='stat\t\xc0\xd2\xfe\xbc\xf9\xdf-\xea\xc8\xc1w\xff\x17\x12H\xe9\x11\x93Q0I\xf81U\ro}\xe6l\xf67\xbd\xbf\x13\x11\x92\f\x8a&\xed\xa4\xdc\xc3x?\x9d\xb5\x11k4\xd3\x1b\x05\x12\xa5`\x8a\xaf\xf0\x1eyR4\f\xd6\xfd\x00\x00\x00\x00', 0x275a, 0x0) r1 = creat(&(0x7f0000000140)='./file0\x00', 0x0) write$P9_RREAD(r1, &(0x7f0000000200)=ANY=[], 0x5aa78d33) perf_event_open(&(0x7f000001d000)={0x1, 0x6b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) fallocate(r0, 0x0, 0x0, 0x10fffe) ioctl$EXT4_IOC_MOVE_EXT(r0, 0xc028660f, &(0x7f0000000100)={0x0, r1}) ioctl$EXT4_IOC_ALLOC_DA_BLKS(r1, 0x660c) openat$pidfd(0xffffffffffffff9c, 0x0, 0x1, 0x0) r2 = getpgrp(0xffffffffffffffff) perf_event_open(&(0x7f0000000180)={0x3, 0x70, 0x400, 0x0, 0x826, 0xfffffffffffffffa, 0x0, 0x0, 0x204, 0x4, 0x1, 0x3ff, 0xf9d, 0x0, 0x0, 0x8001, 0x0, 0x20, 0xe0, 0x6, 0x0, 0x6, 0x0, 0x3, 0xab3, 0x0, 0x9, 0x7fffffff, 0x0, 0x3, 0x3, 0x8, 0x5, 0x7, 0x6, 0x10001, 0xff, 0xff, 0x0, 0x5, 0x7, @perf_config_ext={0x800, 0x100000000}, 0x400, 0x800000000, 0x4c64dd4d, 0x19c741569de75235, 0x3, 0x4494e89f, 0x8d88}, r2, 0x6, r1, 0xb) 08:37:33 executing program 4: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x10, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:33 executing program 2: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) bind$unix(0xffffffffffffffff, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) 08:37:33 executing program 5: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x10, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") 08:37:33 executing program 0: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x0, 0x0) bind$unix(r1, &(0x7f00000001c0)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x56) listen(r1, 0x0) connect$unix(r0, &(0x7f0000000140)=@file={0x1, '\xe9\x1fq\x89Y\x1e\x923aK\x00'}, 0x6e) r2 = accept(r1, 0x0, 0x0) setsockopt$sock_int(r0, 0x1, 0x2a, &(0x7f0000000080)=0x200, 0x4) sendmsg$key(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)={0x2, 0x0, 0x0, 0x0, 0x2}, 0x10}}, 0x0) recvfrom$unix(r0, 0x0, 0x0, 0xc08e, 0x0, 0x0) [ 930.028669][ C1] rcu: INFO: rcu_preempt self-detected stall on CPU [ 930.035715][ C1] rcu: 1-...!: (1 GPs behind) idle=572/1/0x4000000000000002 softirq=97995/97996 fqs=5 [ 930.046019][ C1] rcu: (t=10501 jiffies g=141781 q=129) [ 930.051765][ C1] rcu: rcu_preempt kthread starved for 10491 jiffies! g141781 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0 [ 930.063150][ C1] rcu: RCU grace-period kthread stack dump: [ 930.069044][ C1] rcu_preempt R running task 29168 10 2 0x80000000 [ 930.077154][ C1] Call Trace: [ 930.080500][ C1] __schedule+0x813/0x1cc0 [ 930.084950][ C1] ? __sched_text_start+0x8/0x8 [ 930.089805][ C1] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 930.095680][ C1] ? lockdep_hardirqs_on+0x418/0x5d0 [ 930.100999][ C1] ? trace_hardirqs_on+0x67/0x230 [ 930.106031][ C1] schedule+0x92/0x180 [ 930.110112][ C1] schedule_timeout+0x4db/0xfd0 [ 930.114981][ C1] ? usleep_range+0x170/0x170 [ 930.119665][ C1] ? trace_hardirqs_on+0x67/0x230 [ 930.124737][ C1] ? kasan_check_read+0x11/0x20 [ 930.129614][ C1] ? __next_timer_interrupt+0x1a0/0x1a0 [ 930.135175][ C1] ? prepare_to_swait_exclusive+0x120/0x120 [ 930.141111][ C1] rcu_gp_kthread+0x962/0x17b0 [ 930.145913][ C1] ? kasan_check_write+0x14/0x20 [ 930.150869][ C1] ? wait_rcu_exp_gp+0x50/0x50 [ 930.155728][ C1] ? trace_hardirqs_on+0x67/0x230 [ 930.160937][ C1] ? kasan_check_read+0x11/0x20 [ 930.165808][ C1] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 930.171642][ C1] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 930.177896][ C1] ? __kthread_parkme+0xfb/0x1b0 [ 930.182870][ C1] kthread+0x357/0x430 [ 930.186954][ C1] ? wait_rcu_exp_gp+0x50/0x50 [ 930.191727][ C1] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 930.197996][ C1] ret_from_fork+0x3a/0x50 [ 930.202432][ C1] NMI backtrace for cpu 1 [ 930.206768][ C1] CPU: 1 PID: 29295 Comm: syz-executor.5 Not tainted 5.1.0-rc7+ #92 [ 930.214742][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 930.224802][ C1] Call Trace: [ 930.228108][ C1] [ 930.230974][ C1] dump_stack+0x172/0x1f0 [ 930.235316][ C1] nmi_cpu_backtrace.cold+0x63/0xa4 [ 930.240556][ C1] ? lapic_can_unplug_cpu.cold+0x38/0x38 [ 930.246218][ C1] nmi_trigger_cpumask_backtrace+0x1be/0x236 [ 930.252209][ C1] arch_trigger_cpumask_backtrace+0x14/0x20 [ 930.258124][ C1] rcu_dump_cpu_stacks+0x183/0x1cf [ 930.263344][ C1] rcu_sched_clock_irq.cold+0x500/0xa4a [ 930.268907][ C1] ? raise_softirq+0x11f/0x310 [ 930.273694][ C1] update_process_times+0x32/0x80 [ 930.278727][ C1] tick_sched_handle+0xa2/0x190 [ 930.283679][ C1] tick_sched_timer+0x47/0x130 [ 930.288478][ C1] __hrtimer_run_queues+0x33e/0xde0 [ 930.293693][ C1] ? tick_sched_do_timer+0x1b0/0x1b0 [ 930.298997][ C1] ? hrtimer_start_range_ns+0xc80/0xc80 [ 930.304566][ C1] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 930.310291][ C1] ? ktime_get_update_offsets_now+0x2d9/0x440 [ 930.316388][ C1] hrtimer_interrupt+0x314/0x770 [ 930.321355][ C1] smp_apic_timer_interrupt+0x120/0x570 [ 930.327002][ C1] apic_timer_interrupt+0xf/0x20 [ 930.331953][ C1] [ 930.334901][ C1] RIP: 0010:kmem_cache_alloc+0x28b/0x6f0 [ 930.340535][ C1] Code: 7e 0f 85 cd fe ff ff e8 54 2a 58 ff e9 c3 fe ff ff e8 39 bd cd ff 48 83 3d f1 5a ea 06 00 0f 84 15 03 00 00 48 8b 7d d0 57 9d <0f> 1f 44 00 00 e9 60 fe ff ff 31 d2 be a2 01 00 00 48 c7 c7 0a fe [ 930.360231][ C1] RSP: 0018:ffff888065307d30 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 [ 930.368657][ C1] RAX: 0000000000000007 RBX: 0000000000000cc0 RCX: 0000000000000000 [ 930.376747][ C1] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000286 [ 930.384725][ C1] RBP: ffff888065307d98 R08: ffff8880a0324500 R09: 0000000000000000 [ 930.392707][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88821bc45b00 [ 930.400775][ C1] R13: ffff88821bc45b00 R14: 0000000000000cc0 R15: ffff888081b221c0 [ 930.408798][ C1] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 930.414285][ C1] getname_flags+0xd6/0x5b0 [ 930.418804][ C1] user_path_at_empty+0x2f/0x50 [ 930.423683][ C1] path_setxattr+0xae/0x1b0 [ 930.428199][ C1] ? setxattr+0x380/0x380 [ 930.432558][ C1] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 930.438026][ C1] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 930.443504][ C1] ? do_syscall_64+0x26/0x610 [ 930.448280][ C1] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 930.454439][ C1] ? do_syscall_64+0x26/0x610 [ 930.459129][ C1] __x64_sys_setxattr+0xc4/0x150 [ 930.464090][ C1] do_syscall_64+0x103/0x610 [ 930.468696][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 930.474608][ C1] RIP: 0033:0x2000068b [ 930.478710][ C1] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 a8 4a 2a e9 2c 21 1c 42 0f 05 03 00 00 00 c4 a3 7b f0 c5 5c 41 e2 e9 2e 36 3e 46 0f 1a 70 00 [ 930.498350][ C1] RSP: 002b:00007f9275772bd8 EFLAGS: 00000282 ORIG_RAX: 00000000000000bc [ 930.506773][ C1] RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 000000002000068b [ 930.514757][ C1] RDX: e27eb1bea58e8070 RSI: 0000000000000000 RDI: 0000000000000003 [ 930.522777][ C1] RBP: 0000000000000078 R08: 0000000000000005 R09: 0000000000000006 08:39:19 executing program 0: syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(0xffffffffffffffff, 0x6430) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008032, 0xffffffffffffffff, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00000, 0x0, 0x0, 0x5701, 0x10000000002) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) syz_execute_func(&(0x7f0000000680)="98a84a2ae92c211c420f05bf03000000c4a37bf0c55c41e2e92e363e460f1a7000660fde978fe97c80d1e3e30b110fb8c4014e4e0b5b5b016d7d14dee509c421045f4607c422adaf50e3c4e10bf8c45b70c4c4c4a3bd4877f88ac483397fd300f7dcdc0fbcaf4c10f138f653afaf6766f2ab440fec3facacc4c3214cb9a5604b19c201b00b000000f08171a30b8a826e670f542c3d271c0000a80dd4d48f6978d25debe8628f680864360fe25800218de3c0f52641802d08000000fa49c4f6a1dd7dbbbfdd5c450f918fffefffffbedcdca1c9fb110f66474f383ae34ba29fb7e2") [ 930.530933][ C1] R10: 0000000000000007 R11: 0000000000000282 R12: 000000000000000b [ 930.538912][ C1] R13: 000000000000000c R14: 000000000000000d R15: 00000000ffffffff 2019/04/30 08:39:19 Manager.Poll call failed: connection is shut down