dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0xd00000000000000)

[  327.575811][T21382] binder: 21380:21382 got transaction to invalid handle
15:41:40 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x01', 0x0, 0x0)

15:41:40 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xc0ed0000, 0x0)

15:41:40 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0})

[  327.680207][T21414] binder_alloc_mmap_handler: 3 callbacks suppressed
[  327.680226][T21414] binder_alloc: binder_alloc_mmap_handler: 21380 20001000-20004000 already mapped failed -16
15:41:40 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0xc00000000000000)

15:41:40 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  327.775194][T21382] binder: BINDER_SET_CONTEXT_MGR already set
[  327.806395][T21382] binder: 21380:21382 ioctl 40046207 0 returned -16
[  327.814881][T21427] binder_alloc: 21380: binder_alloc_buf, no vma
[  327.835106][ T7767] binder: release 21380:21382 transaction 741 out, still active
[  327.850923][ T7767] binder: unexpected work type, 4, not freed
[  327.874702][ T7767] binder_release_work: 2 callbacks suppressed
15:41:40 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x2000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  327.874706][ T7767] binder: undelivered TRANSACTION_COMPLETE
[  327.891092][ T7767] binder: send failed reply for transaction 741, target dead
[  328.010802][T21441] binder: 21435:21441 got transaction to invalid handle
15:41:41 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0xe00000000000000)

[  328.051412][T21502] binder_alloc: binder_alloc_mmap_handler: 21435 20001000-20004000 already mapped failed -16
[  328.051662][T21469] binder: BINDER_SET_CONTEXT_MGR already set
[  328.068506][T21469] binder: 21460:21469 ioctl 40046207 0 returned -16
15:41:41 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf6ffffff, 0x0)

[  328.124184][T21441] binder: BINDER_SET_CONTEXT_MGR already set
[  328.162206][T21441] binder: 21435:21441 ioctl 40046207 0 returned -16
[  328.179657][ T7752] binder: send failed reply for transaction 747 to 21435:21441
[  328.210297][ T7752] binder: undelivered TRANSACTION_COMPLETE
15:41:41 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x18000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:41 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:41 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0xc71d7f500000000)

15:41:41 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0})

[  328.340599][T21729] binder: 21725:21729 got transaction to invalid handle
15:41:41 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf9fdffff, 0x0)

[  328.401768][T21767] binder_alloc: binder_alloc_mmap_handler: 21725 20001000-20004000 already mapped failed -16
[  328.458118][T21765] binder: BINDER_SET_CONTEXT_MGR already set
[  328.486798][T21765] binder: 21764:21765 ioctl 40046207 0 returned -16
[  328.531368][T21729] binder_alloc: 21725: binder_alloc_buf, no vma
[  328.569191][T21815] binder: BINDER_SET_CONTEXT_MGR already set
15:41:41 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0xf00000000000000)

[  328.634516][T21815] binder: 21725:21815 ioctl 40046207 0 returned -16
[  328.634721][ T7752] binder: release 21725:21729 transaction 752 out, still active
15:41:41 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x03', 0x0, 0x0)

15:41:41 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffff000, 0x0)

15:41:41 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0})

15:41:41 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xfdfdffff, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  328.782396][ T7752] binder: unexpected work type, 4, not freed
[  328.788428][ T7752] binder: undelivered TRANSACTION_COMPLETE
[  328.814729][T21990] binder: BINDER_SET_CONTEXT_MGR already set
15:41:41 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x02', 0x0, 0x0)

[  328.853044][T21990] binder: 21989:21990 ioctl 40046207 0 returned -16
[  328.854248][ T7752] binder: send failed reply for transaction 752, target dead
15:41:41 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0xd00000000000000)

[  328.910059][T22026] binder: 21997:22026 got transaction to invalid handle
15:41:41 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffdf9, 0x0)

15:41:41 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x03', 0x0, 0x0)

[  328.990278][T22186] binder_alloc: binder_alloc_mmap_handler: 21997 20001000-20004000 already mapped failed -16
15:41:42 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0})

15:41:42 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1000000000000000)

[  329.083071][T22026] binder: BINDER_SET_CONTEXT_MGR already set
[  329.119203][T22209] binder_alloc: 21997: binder_alloc_buf, no vma
[  329.150114][ T2597] binder: send failed reply for transaction 758 to 21997:22026
[  329.170267][T22265] binder: 22229:22265 got new transaction with bad transaction stack, transaction 764 has target 22229:0
[  329.175945][T22026] binder: 21997:22026 ioctl 40046207 0 returned -16
[  329.185287][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:41:42 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0})

15:41:42 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xfffffdfd, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:42 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x03', 0x0, 0x0)

[  329.244007][ T2597] binder: release 22229:22265 transaction 764 out, still active
[  329.265176][ T2597] binder: undelivered TRANSACTION_COMPLETE
[  329.281785][ T2597] binder: send failed reply for transaction 764, target dead
15:41:42 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffff7f, 0x0)

15:41:42 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0xe00000000000000)

[  329.381905][ T7752] binder: release 22331:22332 transaction 767 out, still active
[  329.394997][ T7752] binder: undelivered TRANSACTION_COMPLETE
15:41:42 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:42 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0})

[  329.508938][ T7752] binder: send failed reply for transaction 767, target dead
[  329.513409][T22372] binder: 22353:22372 got transaction to invalid handle
[  329.576669][T22449] binder: BINDER_SET_CONTEXT_MGR already set
15:41:42 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffff8c, 0x0)

[  329.623288][T22449] binder: 22448:22449 ioctl 40046207 0 returned -16
[  329.642894][T22452] binder_alloc: binder_alloc_mmap_handler: 22353 20001000-20004000 already mapped failed -16
15:41:42 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0xf00000000000000)

15:41:42 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1100000000000000)

[  329.687644][T22372] binder: BINDER_SET_CONTEXT_MGR already set
[  329.713046][T22372] binder: 22353:22372 ioctl 40046207 0 returned -16
[  329.715468][T22525] binder_alloc: 22353: binder_alloc_buf, no vma
[  329.784310][ T7752] binder: send failed reply for transaction 769 to 22353:22372
[  329.803034][ T7752] binder: undelivered TRANSACTION_COMPLETE
15:41:42 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x03', 0x0, 0x0)

15:41:42 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffff6, 0x0)

15:41:42 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0})

15:41:42 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x100000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:42 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x03', 0x0, 0x0)

[  330.022121][ T7757] binder: release 22697:22712 transaction 775 out, still active
[  330.039651][T22722] binder: BINDER_SET_CONTEXT_MGR already set
[  330.052080][ T7757] binder: undelivered TRANSACTION_COMPLETE
15:41:43 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1200000000000000)

[  330.073164][T22722] binder: 22710:22722 ioctl 40046207 0 returned -16
15:41:43 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0)

[  330.113924][T22780] binder_alloc: binder_alloc_mmap_handler: 22710 20001000-20004000 already mapped failed -16
[  330.135224][ T7757] binder: send failed reply for transaction 775, target dead
[  330.148189][ T7757] binder: send failed reply for transaction 776 to 22710:22780
15:41:43 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1000000000000000)

15:41:43 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xedc000000000, 0x0)

[  330.174026][T22790] binder_alloc: 22710: binder_alloc_buf, no vma
[  330.208761][ T7757] binder: undelivered transaction 779, process died.
15:41:43 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xc0', 0x0, 0x0)

15:41:43 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x200000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  330.235736][ T7757] binder: undelivered TRANSACTION_COMPLETE
[  330.254303][T22793] binder: 22792:22793 ioctl c0306201 0 returned -14
[  330.268990][ T7757] binder: undelivered TRANSACTION_COMPLETE
[  330.309770][ T7757] binder: release 22792:22793 transaction 783 out, still active
15:41:43 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0)

15:41:43 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  330.387259][T22810] binder: BINDER_SET_CONTEXT_MGR already set
[  330.396331][ T7757] binder: send failed reply for transaction 783, target dead
[  330.419149][T22810] binder: 22809:22810 ioctl 40046207 0 returned -16
[  330.478712][T22814] binder_alloc: binder_alloc_mmap_handler: 22809 20001000-20004000 already mapped failed -16
[  330.501775][T22815] binder: 22813:22815 ioctl c0306201 0 returned -14
15:41:43 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1300000000000000)

15:41:43 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, 0x0)

[  330.558786][ T7757] binder: release 22813:22815 transaction 787 out, still active
[  330.593571][ T7757] binder: release 22809:22814 transaction 788 out, still active
15:41:43 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x1800000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  330.636901][ T7757] binder: unexpected work type, 4, not freed
15:41:43 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf0ffffffffffff, 0x0)

[  330.682521][ T7757] binder: send failed reply for transaction 787, target dead
[  330.710576][T22928] binder: 22927:22928 ioctl c0306201 0 returned -14
[  330.714663][ T7757] binder: send failed reply for transaction 788, target dead
15:41:43 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x03', 0x0, 0x0)

[  330.781357][ T7757] binder: release 22927:22928 transaction 792 out, still active
[  330.802593][T22934] binder: BINDER_SET_CONTEXT_MGR already set
15:41:43 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0})

[  330.846755][T22934] binder: 22931:22934 ioctl 40046207 0 returned -16
[  330.870354][ T7767] binder: send failed reply for transaction 792, target dead
[  330.884147][T22960] binder_alloc: binder_alloc_mmap_handler: 22931 20001000-20004000 already mapped failed -16
15:41:43 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1100000000000000)

15:41:43 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  330.885200][ T7767] binder: send failed reply for transaction 793 to 22931:22960
[  330.944551][T22934] binder_transaction: 16 callbacks suppressed
[  330.944571][T22934] binder: 22931:22934 transaction failed 29189/-22, size 24-8 line 2994
[  330.951024][ T7767] binder: undelivered transaction 796, process died.
[  330.978407][T23023] binder: BINDER_SET_CONTEXT_MGR already set
[  331.007512][T23023] binder: 23010:23023 ioctl 40046207 0 returned -16
[  331.039107][ T7767] binder_release_work: 23 callbacks suppressed
[  331.039114][ T7767] binder: undelivered TRANSACTION_ERROR: 29189
15:41:44 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xfdfdffff00000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:44 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x100000000000000, 0x0)

[  331.068050][ T7767] binder: undelivered TRANSACTION_ERROR: 29189
15:41:44 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1400000000000000)

15:41:44 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0})

15:41:44 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x80', 0x0, 0x0)

[  331.246918][T23162] binder_alloc: binder_alloc_mmap_handler: 23155 20001000-20004000 already mapped failed -16
[  331.298374][T23166] binder: BINDER_SET_CONTEXT_MGR already set
[  331.319983][T23166] binder: 23164:23166 ioctl 40046207 0 returned -16
[  331.339817][T23166] binder_alloc: 23155: binder_alloc_buf, no vma
[  331.349649][T23166] binder: 23164:23166 transaction failed 29189/-3, size 0-0 line 3147
[  331.359550][T23160] binder_alloc: 23155: binder_alloc_buf, no vma
15:41:44 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1200000000000000)

[  331.404021][ T7752] binder: undelivered TRANSACTION_ERROR: 29189
[  331.413366][T23160] binder: 23155:23160 transaction failed 29189/-3, size 24-8 line 3147
[  331.421785][ T7752] binder: send failed reply for transaction 800 to 23155:23160
15:41:44 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xff', 0x0, 0x0)

15:41:44 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0})

[  331.463002][ T7752] binder: undelivered transaction 803, process died.
15:41:44 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x2, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  331.522227][ T7752] binder: undelivered TRANSACTION_ERROR: 29189
[  331.557524][ T7752] binder: undelivered TRANSACTION_ERROR: 29189
[  331.610099][    T5] binder: release 23185:23216 transaction 807 out, still active
15:41:44 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:44 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000700), 0x0, 0x0, 0x0})

[  331.661767][T23288] binder: BINDER_SET_CONTEXT_MGR already set
15:41:44 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1300000000000000)

15:41:44 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x200000000000000, 0x0)

[  331.741136][T23288] binder: 23248:23288 ioctl 40046207 0 returned -16
[  331.748276][ T7752] binder: send failed reply for transaction 807, target dead
[  331.766451][T23296] binder: 23248:23296 transaction failed 29189/-22, size 24-8 line 2994
[  331.786430][ T7752] binder: release 23295:23297 transaction 810 out, still active
15:41:44 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1500000000000000)

15:41:44 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000700), 0x0, 0x0, 0x0})

[  331.830678][T23296] binder_alloc: binder_alloc_mmap_handler: 23248 20001000-20004000 already mapped failed -16
[  331.851563][ T7756] binder: send failed reply for transaction 810, target dead
[  331.894671][T23300] binder_alloc: 23248: binder_alloc_buf, no vma
[  331.899036][ T7756] binder: undelivered transaction 811, process died.
[  331.932460][T23300] binder: 23248:23300 transaction failed 29189/-3, size 24-8 line 3147
[  331.940229][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
15:41:44 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  331.976678][ T7752] binder: release 23311:23314 transaction 815 out, still active
15:41:45 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000700), 0x0, 0x0, 0x0})

[  332.118475][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
15:41:45 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x18, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:45 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1600000000000000)

15:41:45 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xa00000000000000, 0x0)

15:41:45 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  332.235625][T23428] binder: BINDER_SET_CONTEXT_MGR already set
[  332.256597][T23428] binder: 23425:23428 ioctl 40046207 0 returned -16
15:41:45 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1400000000000000)

15:41:45 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  332.332748][T23428] binder: 23425:23428 transaction failed 29189/-22, size 24-8 line 2994
[  332.346758][T23435] binder: 23434:23435 got new transaction with bad transaction stack, transaction 820 has target 23434:0
[  332.395823][T23428] binder: BINDER_SET_CONTEXT_MGR already set
[  332.405709][T23435] binder: 23434:23435 transaction failed 29201/-71, size 0-0 line 3044
[  332.416054][    T5] binder: undelivered TRANSACTION_ERROR: 29189
[  332.423865][T23428] binder: 23425:23428 ioctl 40046207 0 returned -16
[  332.430588][    T5] binder: unexpected work type, 4, not freed
15:41:45 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x1800, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  332.447585][    T5] binder: undelivered TRANSACTION_ERROR: 29201
15:41:45 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x100000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  332.541141][    T5] binder: undelivered transaction 822, process died.
[  332.563213][T23454] binder: BINDER_SET_CONTEXT_MGR already set
[  332.615594][T23454] binder: 23452:23454 ioctl 40046207 0 returned -16
[  332.616221][T23477] binder_alloc: 23452: binder_alloc_buf, no vma
[  332.631757][    T5] binder: send failed reply for transaction 827 to 23452:23454
15:41:45 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:45 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1700000000000000)

[  332.671967][    T5] binder: undelivered transaction 830, process died.
[  332.694990][    T5] binder: unexpected work type, 4, not freed
[  332.707628][    T5] binder: undelivered TRANSACTION_ERROR: 29189
[  332.731374][T23477] binder: 23452:23477 transaction failed 29189/-3, size 24-0 line 3147
15:41:45 executing program 4:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0xc71d7f500000000)

15:41:45 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2000000000000000, 0x0)

15:41:45 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x1000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  332.789127][    T5] binder: undelivered transaction 836, process died.
15:41:45 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1500000000000000)

[  332.937547][T23583] binder_alloc_mmap_handler: 2 callbacks suppressed
[  332.937566][T23583] binder_alloc: binder_alloc_mmap_handler: 23580 20001000-20004000 already mapped failed -16
[  332.986988][T23581] binder: BINDER_SET_CONTEXT_MGR already set
[  333.009708][T23581] binder: 23580:23581 ioctl 40046207 0 returned -16
[  333.030238][T23635] binder_alloc: 23580: binder_alloc_buf, no vma
15:41:45 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  333.041452][T23635] binder: 23580:23635 transaction failed 29189/-3, size 24-8 line 3147
15:41:46 executing program 4:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0xc71d7f500000000)

[  333.131510][T23581] binder_alloc: 23580: binder_alloc_buf, no vma
15:41:46 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1800000000000000)

[  333.180375][T23581] binder: 23580:23581 transaction failed 29189/-3, size 24-0 line 3147
[  333.189683][ T2597] binder: send failed reply for transaction 838 to 23580:23581
[  333.225294][ T2597] binder: undelivered transaction 841, process died.
15:41:46 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x2000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  333.267955][ T2597] binder_release_work: 20 callbacks suppressed
[  333.267960][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:41:46 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2010000000000000, 0x0)

[  333.324293][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:41:46 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  333.392625][T23807] binder_alloc: binder_alloc_mmap_handler: 23800 20001000-20004000 already mapped failed -16
15:41:46 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1600000000000000)

[  333.472033][T23805] binder: BINDER_SET_CONTEXT_MGR already set
[  333.493427][T23805] binder: 23800:23805 ioctl 40046207 0 returned -16
[  333.534899][T23811] binder_alloc: 23800: binder_alloc_buf, no vma
[  333.557639][    T5] binder: unexpected work type, 4, not freed
[  333.568039][    T5] binder: undelivered TRANSACTION_COMPLETE
[  333.575852][T23807] binder_alloc: 23800: binder_alloc_buf, no vma
15:41:46 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1900000000000000)

[  333.603618][    T5] binder: undelivered TRANSACTION_COMPLETE
15:41:46 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x18000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  333.656145][    T5] binder: undelivered transaction 848, process died.
15:41:46 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3f00000000000000, 0x0)

15:41:46 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1700000000000000)

15:41:46 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  333.839076][T23929] binder_alloc: binder_alloc_mmap_handler: 23926 20001000-20004000 already mapped failed -16
15:41:46 executing program 4:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0xe00000000000000)

[  333.886629][T23927] binder: BINDER_SET_CONTEXT_MGR already set
[  334.020211][T23927] binder: 23926:23927 ioctl 40046207 0 returned -16
[  334.020967][T23945] binder_alloc: 23926: binder_alloc_buf, no vma
[  334.104568][    T5] binder: unexpected work type, 4, not freed
[  334.115641][    T5] binder: undelivered TRANSACTION_COMPLETE
[  334.139405][    T5] binder: undelivered TRANSACTION_COMPLETE
[  334.166661][    T5] binder_send_failed_reply: 6 callbacks suppressed
[  334.166668][    T5] binder: send failed reply for transaction 852, target dead
15:41:47 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xfdfdffff, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:47 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  334.207070][    T5] binder: undelivered transaction 855, process died.
15:41:47 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4000000000000000, 0x0)

15:41:47 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1a00000000000000)

[  334.312433][T24054] binder_alloc: binder_alloc_mmap_handler: 24052 20001000-20004000 already mapped failed -16
15:41:47 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1800000000000000)

[  334.418685][T24054] binder_alloc: 24052: binder_alloc_buf, no vma
[  334.444534][T24062] binder: BINDER_SET_CONTEXT_MGR already set
[  334.463545][   T17] binder_thread_release: 6 callbacks suppressed
[  334.463555][   T17] binder: release 24052:24053 transaction 858 out, still active
[  334.483497][T24062] binder: 24052:24062 ioctl 40046207 0 returned -16
[  334.509577][   T17] binder: unexpected work type, 4, not freed
15:41:47 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xfffffdfd, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:47 executing program 4:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x40000000, 0x0)

15:41:47 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  334.550573][   T17] binder: undelivered TRANSACTION_COMPLETE
[  334.571925][   T17] binder: undelivered TRANSACTION_COMPLETE
[  334.628732][   T17] binder: send failed reply for transaction 858, target dead
[  334.716754][T24145] binder_alloc: binder_alloc_mmap_handler: 24118 20001000-20004000 already mapped failed -16
15:41:47 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8cffffff00000000, 0x0)

[  334.767880][T24135] binder: BINDER_SET_CONTEXT_MGR already set
[  334.780771][T24135] binder: 24118:24135 ioctl 40046207 0 returned -16
[  334.788276][    T5] binder: release 24118:24135 transaction 865 out, still active
[  334.801446][    T5] binder: unexpected work type, 4, not freed
15:41:47 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x100000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:47 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1900000000000000)

[  334.828914][    T5] binder: undelivered TRANSACTION_COMPLETE
[  334.838726][    T5] binder: undelivered TRANSACTION_COMPLETE
[  334.854585][    T5] binder: send failed reply for transaction 865, target dead
[  334.893135][T24196] binder_alloc: binder_alloc_mmap_handler: 24194 20001000-20004000 already mapped failed -16
15:41:47 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:47 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1b00000000000000)

[  334.963328][T26837] binder: send failed reply for transaction 871 to 24194:24195
15:41:47 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:48 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x200000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:48 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1a00000000000000)

[  335.174562][T24216] binder: 24215:24216 got reply transaction with bad transaction stack, transaction 877 has target 24215:0
[  335.190276][T24250] binder: BINDER_SET_CONTEXT_MGR already set
[  335.227786][T24250] binder: 24248:24250 ioctl 40046207 0 returned -16
[  335.229771][    T5] binder: release 24215:24216 transaction 877 out, still active
15:41:48 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf6ffffff00000000, 0x0)

15:41:48 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  335.273051][    T5] binder: unexpected work type, 4, not freed
[  335.283891][T24323] binder_alloc: binder_alloc_mmap_handler: 24248 20001000-20004000 already mapped failed -16
[  335.332758][    T5] binder: send failed reply for transaction 877, target dead
15:41:48 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1c00000000000000)

15:41:48 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  335.378062][    T5] binder: send failed reply for transaction 881 to 24248:24323
15:41:48 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x1800000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  335.432995][    T5] binder_cleanup_transaction: 3 callbacks suppressed
[  335.433004][    T5] binder: undelivered transaction 884, process died.
15:41:48 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406300, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  335.488325][T24337] binder: BINDER_SET_CONTEXT_MGR already set
[  335.508844][T24337] binder: 24333:24337 ioctl 40046207 0 returned -16
[  335.595469][T24346] binder_alloc: binder_alloc_mmap_handler: 24343 20001000-20004000 already mapped failed -16
[  335.626187][T24362] binder: BINDER_SET_CONTEXT_MGR already set
[  335.660791][T24344] binder: BINDER_SET_CONTEXT_MGR already set
[  335.692253][T24362] binder: 24347:24362 ioctl 40046207 0 returned -16
15:41:48 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:48 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1d00000000000000)

[  335.712203][T24344] binder: 24343:24344 ioctl 40046207 0 returned -16
[  335.713675][T26837] binder: release 24343:24344 transaction 889 out, still active
15:41:48 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf9fdffff00000000, 0x0)

15:41:48 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xfdfdffff00000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  335.779173][T26837] binder: unexpected work type, 4, not freed
[  335.803931][T26837] binder: send failed reply for transaction 889, target dead
15:41:48 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1b00000000000000)

15:41:48 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406300, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  335.850168][T26837] binder: undelivered transaction 892, process died.
[  335.930960][T24571] binder_alloc: binder_alloc_mmap_handler: 24564 20001000-20004000 already mapped failed -16
[  335.941311][T24570] binder: BINDER_SET_CONTEXT_MGR already set
[  335.941343][T24570] binder: 24569:24570 ioctl 40046207 0 returned -16
[  335.970653][T24567] binder: BINDER_SET_CONTEXT_MGR already set
15:41:48 executing program 4:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x200000000000000)

[  336.025239][T24567] binder: 24564:24567 ioctl 40046207 0 returned -16
[  336.056825][ T7767] binder: send failed reply for transaction 895 to 24564:24567
[  336.064981][T24577] binder_transaction: 12 callbacks suppressed
[  336.064999][T24577] binder: 24564:24577 transaction failed 29189/-3, size 24-8 line 3147
[  336.082049][ T7767] binder: undelivered transaction 898, process died.
[  336.105417][ T7767] binder_release_work: 18 callbacks suppressed
[  336.105424][ T7767] binder: undelivered TRANSACTION_ERROR: 29189
15:41:49 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  336.161068][ T7767] binder: undelivered TRANSACTION_ERROR: 29189
15:41:49 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:49 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x1e00000000000000)

15:41:49 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffff7f00000000, 0x0)

[  336.329243][T24794] binder_alloc: binder_alloc_mmap_handler: 24771 20001000-20004000 already mapped failed -16
[  336.370719][T24792] binder: BINDER_SET_CONTEXT_MGR already set
[  336.377118][T24792] binder: 24771:24792 ioctl 40046207 0 returned -16
15:41:49 executing program 4:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x200000000000000)

[  336.412997][T24794] binder_alloc_new_buf_locked: 7 callbacks suppressed
[  336.413005][T24794] binder_alloc: 24771: binder_alloc_buf, no vma
15:41:49 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1c00000000000000)

[  336.462982][T26837] binder: release 24771:24792 transaction 902 out, still active
[  336.478585][T24794] binder: 24771:24794 transaction failed 29189/-3, size 24-8 line 3147
[  336.499230][T26837] binder: unexpected work type, 4, not freed
15:41:49 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x18, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  336.517940][T26837] binder: send failed reply for transaction 902, target dead
[  336.553846][T26837] binder: undelivered transaction 905, process died.
15:41:49 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  336.602200][T26837] binder: undelivered TRANSACTION_ERROR: 29189
[  336.695185][T24817] binder: BINDER_SET_CONTEXT_MGR already set
[  336.731223][T24820] binder_alloc: 24815: binder_alloc_buf, no vma
15:41:49 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x2000000000000000)

[  336.757442][T26837] binder: release 24815:24817 transaction 908 out, still active
[  336.769438][T24817] binder: 24815:24817 ioctl 40046207 0 returned -16
[  336.782144][T26837] binder: unexpected work type, 4, not freed
[  336.816279][T24820] binder: 24815:24820 transaction failed 29189/-3, size 24-8 line 3147
[  336.827808][T26837] binder: send failed reply for transaction 908, target dead
[  336.853915][T26837] binder: undelivered transaction 911, process died.
15:41:49 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffffffffff000, 0x0)

15:41:49 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x1800, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:49 executing program 4:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x200000000000000)

[  336.888566][T26837] binder: undelivered TRANSACTION_ERROR: 29189
15:41:49 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:50 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1d00000000000000)

[  337.033096][T25037] binder: BINDER_SET_CONTEXT_MGR already set
[  337.113262][T25037] binder: 25036:25037 ioctl 40046207 0 returned -16
[  337.120504][T26837] binder: send failed reply for transaction 914 to 25036:25037
[  337.149133][T26837] binder: undelivered transaction 917, process died.
15:41:50 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
r0 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x4000, 0x0)
ioctl$TIOCMSET(r0, 0x5418, &(0x7f0000000080)=0xc2e7)
clone(0x0, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
ioctl$VT_OPENQRY(r0, 0x5600, &(0x7f0000000040))
fremovexattr(r0, &(0x7f00000001c0)=@known='trusted.overlay.impure\x00')
link(&(0x7f0000000100)='./file0\x00', &(0x7f0000000140)='./file0\x00')
mount(&(0x7f0000000140)=ANY=[], &(0x7f0000000200)='./file0\x00', &(0x7f0000000180)='udf\x00', 0x0, 0x0)
ioctl$SG_GET_NUM_WAITING(r0, 0x227d, &(0x7f00000000c0))

15:41:50 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x1000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  337.177757][T26837] binder: undelivered TRANSACTION_ERROR: 29189
15:41:50 executing program 4:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x8000000000)

15:41:50 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x2080140800000000)

15:41:50 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  337.341935][T25256] binder_alloc: 25253: binder_alloc_buf, no vma
[  337.409950][T25255] binder: BINDER_SET_CONTEXT_MGR already set
[  337.459275][T25255] binder: 25253:25255 ioctl 40046207 0 returned -16
[  337.490513][T26837] binder: send failed reply for transaction 919 to 25253:25255
[  337.499455][T25256] binder: 25253:25256 transaction failed 29189/-3, size 24-8 line 3147
15:41:50 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  337.518913][T26837] binder: undelivered transaction 922, process died.
[  337.536887][T26837] binder: undelivered TRANSACTION_ERROR: 29189
[  337.557218][T26837] binder: undelivered TRANSACTION_ERROR: 29189
15:41:50 executing program 1:
r0 = fcntl$getown(0xffffffffffffffff, 0x9)
ioprio_set$pid(0x2, r0, 0x800)
mkdir(&(0x7f0000000040)='./file0\x00', 0x40)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000000)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x40000000000, 0x0)

15:41:50 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x1e00000000000000)

[  337.668383][T25477] binder: BINDER_SET_CONTEXT_MGR already set
[  337.697290][T25477] binder: 25475:25477 ioctl 40046207 0 returned -16
15:41:50 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x3f00000000000000)

15:41:50 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  337.717965][T26837] binder: release 25475:25477 transaction 925 out, still active
[  337.726582][T25479] binder_alloc: 25475: binder_alloc_buf, no vma
[  337.735488][T26837] binder: unexpected work type, 4, not freed
15:41:50 executing program 4:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x8000000000)

[  337.785677][T25479] binder: 25475:25479 transaction failed 29189/-3, size 24-8 line 3147
[  337.798971][T26837] binder: send failed reply for transaction 925, target dead
15:41:50 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x18000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  337.842144][T26837] binder: undelivered transaction 928, process died.
[  337.879534][T26837] binder: undelivered TRANSACTION_ERROR: 29189
15:41:50 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x4000000000000000)

[  338.020211][T25572] binder_alloc_mmap_handler: 4 callbacks suppressed
[  338.020229][T25572] binder_alloc: binder_alloc_mmap_handler: 25540 20001000-20004000 already mapped failed -16
[  338.049296][T25558] binder: BINDER_SET_CONTEXT_MGR already set
15:41:51 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:51 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
socket$can_bcm(0x1d, 0x2, 0x2)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="5b6409866fe42f5640253a00"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  338.106477][T26837] binder: release 25540:25558 transaction 931 out, still active
[  338.115189][T25558] binder: 25540:25558 ioctl 40046207 0 returned -16
[  338.134501][T26837] binder: unexpected work type, 4, not freed
[  338.140613][T26837] binder: send failed reply for transaction 931, target dead
15:41:51 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xfdfdffff, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  338.229763][T26837] binder: undelivered transaction 934, process died.
[  338.257614][T25615] ceph: device name is missing path (no : separator in [d	�o�/V@%:)
15:41:51 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x4000000000000000)

[  338.356759][T25641] binder_alloc: binder_alloc_mmap_handler: 25626 20001000-20004000 already mapped failed -16
[  338.376454][T25638] binder: BINDER_SET_CONTEXT_MGR already set
[  338.384129][T25638] binder: 25626:25638 ioctl 40046207 0 returned -16
[  338.384365][T25641] binder_alloc: 25626: binder_alloc_buf, no vma
15:41:51 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x6018230000000000)

[  338.417839][T25641] binder: 25626:25641 transaction failed 29189/-3, size 24-8 line 3147
15:41:51 executing program 4:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x3f00000000000000)

15:41:51 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:51 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000140)=ANY=[@ANYBLOB="5b003a3adcad2f6c6c623200313493d101cdec5e8481c86a8826e9e68833ec6923cd3772a806d042770859080000000000000032e89cde05b46a4abfdc3f0a33e45061d02628fb436987a45d51112c550fca0facf46e941f31cfe03a326203ddbd0910e0095fc5140264c5420b32e89513a37061f2dc0fad01d874dc349dd25b5376ca8545ac11bf045136155e43957a80cf760a1c872c573961234b04f2d8debb95eeb289f6479803d30feb04af1539c7d677d14f30"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  338.499266][T25638] binder_alloc: 25626: binder_alloc_buf, no vma
[  338.521567][   T17] binder: release 25626:25638 transaction 936 out, still active
[  338.530538][T25638] binder: 25626:25638 transaction failed 29189/-3, size 24-0 line 3147
[  338.552408][   T17] binder: unexpected work type, 4, not freed
[  338.564260][   T17] binder_release_work: 21 callbacks suppressed
[  338.564265][   T17] binder: undelivered TRANSACTION_COMPLETE
15:41:51 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xfffffdfd, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  338.638724][   T17] binder: undelivered TRANSACTION_COMPLETE
[  338.639061][T25740] ceph: device name is missing path (no : separator in [)
[  338.672681][   T17] binder: undelivered TRANSACTION_ERROR: 29189
[  338.680103][   T17] binder: undelivered TRANSACTION_ERROR: 29189
[  338.699837][   T17] binder: send failed reply for transaction 936, target dead
[  338.710200][   T17] binder: undelivered transaction 939, process died.
[  338.768865][T25832] binder_alloc: binder_alloc_mmap_handler: 25780 20001000-20004000 already mapped failed -16
15:41:51 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x6300000000000000)

[  338.813857][T25793] binder: BINDER_SET_CONTEXT_MGR already set
15:41:51 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x500c140800000000)

15:41:51 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x10060004, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
syz_open_dev$dmmidi(&(0x7f00000000c0)='/dev/dmmidi#\x00', 0x0, 0x2104)
mount(&(0x7f0000000180)=ANY=[@ANYBLOB="4c1d4c"], &(0x7f0000000140)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xc0004, 0x0)

[  338.866168][T25793] binder: 25780:25793 ioctl 40046207 0 returned -16
[  338.873645][ T2597] binder: send failed reply for transaction 943 to 25780:25793
[  338.881290][ T2597] binder: undelivered TRANSACTION_COMPLETE
[  338.898872][T25849] binder: 25780:25849 transaction failed 29189/-22, size 24-8 line 2994
15:41:51 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xff', 0x0, 0x0)

[  338.932046][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:41:51 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x100000000000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:52 executing program 4:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x3f00000000000000)

15:41:52 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="5b643a3a5d52562577e90b34"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:52 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  339.143112][T26068] binder_alloc: binder_alloc_mmap_handler: 26066 20001000-20004000 already mapped failed -16
[  339.227691][T26074] ceph: device name is missing path (no : separator in [d::]RV%w�4)
[  339.246232][T26067] binder: BINDER_SET_CONTEXT_MGR already set
15:41:52 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x8004000000000000)

15:41:52 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x6018230000000000)

[  339.278106][T26067] binder: 26066:26067 ioctl 40046207 0 returned -16
[  339.322795][    T5] binder: send failed reply for transaction 949 to 26066:26067
[  339.324771][T26081] binder: 26066:26081 transaction failed 29189/-22, size 24-8 line 2994
[  339.339147][    T5] binder: undelivered TRANSACTION_COMPLETE
[  339.367393][    T5] binder: undelivered TRANSACTION_COMPLETE
15:41:52 executing program 1:
r0 = shmget(0x1, 0xd000, 0x800, &(0x7f0000ff0000/0xd000)=nil)
shmctl$IPC_STAT(r0, 0x2, &(0x7f0000000140)=""/175)
r1 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x80000, 0x0)
getsockopt$inet_sctp6_SCTP_RECONFIG_SUPPORTED(0xffffffffffffff9c, 0x84, 0x75, &(0x7f0000000080)={<r2=>0x0, 0x3}, &(0x7f00000000c0)=0x8)
getsockopt$inet_sctp6_SCTP_RTOINFO(r1, 0x84, 0x0, &(0x7f0000000240)={r2, 0xb1c6, 0x20, 0x7}, &(0x7f0000000280)=0x10)
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[d:2]:/llb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:52 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x200000000000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  339.524979][T26190] libceph: resolve 'd' (ret=-3): failed
[  339.548679][T26190] libceph: parse_ips bad ip '[d:2]'
15:41:52 executing program 4:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:52 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  339.654829][T26241] binder_alloc: binder_alloc_mmap_handler: 26209 20001000-20004000 already mapped failed -16
[  339.699642][T26225] binder: BINDER_SET_CONTEXT_MGR already set
[  339.720506][T26225] binder: 26209:26225 ioctl 40046207 0 returned -16
[  339.740482][T26306] binder_alloc: 26209: binder_alloc_buf, no vma
15:41:52 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x6300000000000000)

15:41:52 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000000)=ANY=[@ANYBLOB="5b643a3a5d3a2f6c6c1c0054bdddaffe"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = shmget(0x0, 0x1000, 0x2, &(0x7f0000ffd000/0x1000)=nil)
shmctl$SHM_STAT(r0, 0xd, &(0x7f0000000040)=""/78)
r1 = syz_open_dev$admmidi(&(0x7f00000000c0)='/dev/admmidi#\x00', 0x8, 0x185000)
ioctl$SG_SET_RESERVED_SIZE(r1, 0x2275, &(0x7f0000000140)=0x8)

[  339.750823][T26306] binder: 26209:26306 transaction failed 29189/-3, size 24-8 line 3147
[  339.771200][T26225] binder_alloc: 26209: binder_alloc_buf, no vma
[  339.844392][ T2597] binder: send failed reply for transaction 955 to 26209:26225
15:41:52 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x1800000000000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:52 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  339.889151][ T2597] binder: undelivered TRANSACTION_COMPLETE
[  339.903485][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:41:52 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0xe803000000000000)

15:41:52 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x40046208, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  339.972943][T26343] binder_alloc: binder_alloc_mmap_handler: 26319 20001000-20004000 already mapped failed -16
[  340.001222][T26331] binder: BINDER_SET_CONTEXT_MGR already set
[  340.010656][T26331] binder: 26319:26331 ioctl 40046207 0 returned -16
[  340.057276][    T5] binder: release 26319:26331 transaction 962 out, still active
[  340.065699][T26343] binder_alloc: 26319: binder_alloc_buf, no vma
[  340.079364][T26395] binder: BINDER_SET_CONTEXT_MGR already set
[  340.080757][    T5] binder: unexpected work type, 4, not freed
[  340.094379][T26395] binder: 26391:26395 ioctl 40046207 0 returned -16
15:41:53 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xfdfdffff00000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  340.125959][    T5] binder: undelivered TRANSACTION_COMPLETE
[  340.133910][T26395] binder_alloc: 26319: binder_alloc_buf, no vma
[  340.147871][    T5] binder: undelivered TRANSACTION_COMPLETE
15:41:53 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  340.192795][    T5] binder: send failed reply for transaction 962, target dead
15:41:53 executing program 4 (fault-call:5 fault-nth:0):
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:41:53 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = syz_open_dev$vbi(&(0x7f0000000000)='/dev/vbi#\x00', 0x2, 0x2)
ioctl$TUNSETNOCSUM(r0, 0x400454c8, 0x1)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:53 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x6504460800000000)

[  340.295365][T26439] binder_alloc: binder_alloc_mmap_handler: 26434 20001000-20004000 already mapped failed -16
[  340.364422][T26436] binder: BINDER_SET_CONTEXT_MGR already set
[  340.379981][T26436] binder: 26434:26436 ioctl 40046207 0 returned -16
[  340.387313][T26450] binder: BINDER_SET_CONTEXT_MGR already set
[  340.398764][T26450] binder: 26448:26450 ioctl 40046207 0 returned -16
[  340.410441][   T17] binder: release 26434:26436 transaction 969 out, still active
15:41:53 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x2, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  340.435486][   T17] binder: unexpected work type, 4, not freed
[  340.469625][   T17] binder: send failed reply for transaction 969, target dead
[  340.503920][   T17] binder_cleanup_transaction: 4 callbacks suppressed
[  340.503928][   T17] binder: undelivered transaction 972, process died.
[  340.554401][T26548] binder_alloc: binder_alloc_mmap_handler: 26541 20001000-20004000 already mapped failed -16
[  340.584040][T26545] binder: BINDER_SET_CONTEXT_MGR already set
15:41:53 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:53 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0xffffffff00000000)

[  340.601531][ T2597] binder: release 26541:26545 transaction 975 out, still active
[  340.613961][T26545] binder: 26541:26545 ioctl 40046207 0 returned -16
[  340.638279][ T2597] binder: unexpected work type, 4, not freed
15:41:53 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  340.668111][ T2597] binder: send failed reply for transaction 975, target dead
15:41:53 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x18, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  340.719133][ T2597] binder: undelivered transaction 978, process died.
15:41:53 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@sr0='/dev/sr0\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4000000000000000, 0x0)

[  340.781621][T26674] binder: 26670:26674 got new transaction with bad transaction stack, transaction 981 has target 26670:0
[  340.838331][T26677] binder: BINDER_SET_CONTEXT_MGR already set
[  340.877901][T26677] binder: 26676:26677 ioctl 40046207 0 returned -16
15:41:53 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x8004000000000000)

[  340.888744][T26681] ceph: device name is missing path (no : separator in /dev/sr0)
[  340.906922][ T2597] binder: release 26670:26674 transaction 981 out, still active
[  340.924498][T26688] binder_alloc: binder_alloc_mmap_handler: 26676 20001000-20004000 already mapped failed -16
15:41:53 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x2, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  340.957053][T26677] binder: BINDER_SET_CONTEXT_MGR already set
[  340.987860][T26677] binder: 26676:26677 ioctl 40046207 0 returned -16
[  340.988216][ T2597] binder: send failed reply for transaction 981, target dead
[  341.006668][ T2597] binder: send failed reply for transaction 983 to 26676:26688
[  341.040271][ T2597] binder: undelivered transaction 986, process died.
15:41:54 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:54 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0)
socket$kcm(0x29, 0x5, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
getsockopt$inet_sctp_SCTP_SOCKOPT_PEELOFF(r2, 0x84, 0x66, &(0x7f0000000140)={<r4=>0x0, 0x4}, &(0x7f00000002c0)=0x8)
getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF(r2, 0x84, 0x66, &(0x7f0000000300)={r4}, &(0x7f0000000340)=0x8)
getsockopt$inet_sctp_SCTP_DELAYED_SACK(r2, 0x84, 0x10, &(0x7f0000000040)=@sack_info={<r5=>0x0, 0x8, 0x7}, &(0x7f0000000080)=0xc)
setsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r2, 0x84, 0x7c, &(0x7f00000000c0)={r5, 0x69, 0x100}, 0x8)

15:41:54 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = dup2(0xffffffffffffffff, 0xffffffffffffffff)
ioctl$KDSIGACCEPT(r0, 0x4b4e, 0x21)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="1629c81f2193a8b127d1bb2c"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  341.074388][T26792] binder: 26770:26792 ioctl 2 200002c0 returned -22
15:41:54 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x1800, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  341.224547][T26857] binder: BINDER_SET_CONTEXT_MGR already set
[  341.230586][T26857] binder: 26830:26857 ioctl 40046207 0 returned -16
[  341.253967][T26860] ceph: device name is missing path (no : separator in )�!���'ѻ,)
15:41:54 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0xa01e0489fe7e0000)

[  341.291419][T26928] binder_alloc: binder_alloc_mmap_handler: 26830 20001000-20004000 already mapped failed -16
[  341.310472][T26857] binder: BINDER_SET_CONTEXT_MGR already set
[  341.328112][T26857] binder: 26830:26857 ioctl 40046207 0 returned -16
15:41:54 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x541b, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  341.375776][ T7807] binder: send failed reply for transaction 989 to 26770:26792
[  341.392750][T27022] binder_transaction: 7 callbacks suppressed
[  341.392768][T27022] binder: 26830:27022 transaction failed 29189/-22, size 24-0 line 2994
[  341.404784][T26928] binder: 26830:26928 transaction failed 29189/-22, size 24-8 line 2994
[  341.412527][ T7807] binder: send failed reply for transaction 990 to 26830:26928
15:41:54 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xff', 0x0, 0x0)

15:41:54 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f0000000240)={{{@in6=@mcast2, @in6=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r0=>0x0}}, {{@in=@remote}, 0x0, @in=@broadcast}}, &(0x7f0000000080)=0xe8)
r1 = getgid()
r2 = syz_open_dev$vbi(&(0x7f00000000c0)='/dev/vbi#\x00', 0x3, 0x2)
getsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, &(0x7f00000006c0)={{{@in6=@empty, @in6=@ipv4={[], [], @remote}}}, {{@in=@loopback}, 0x0, @in=@broadcast}}, &(0x7f0000000380)=0xe8)
r3 = openat$vhost_vsock(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vhost-vsock\x00', 0x2, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
bind$netlink(r4, &(0x7f0000000040)={0x10, 0x0, 0x0, 0x2200080}, 0xc)
syz_open_dev$amidi(&(0x7f0000000180)='/dev/amidi#\x00', 0x0, 0x400000)
syz_open_dev$swradio(&(0x7f0000000400)='/dev/swradio#\x00', 0x0, 0x2)
ioctl$KVM_IRQFD(0xffffffffffffffff, 0x4020ae76, 0x0)
ioctl$KVM_SIGNAL_MSI(0xffffffffffffffff, 0x4020aea5, &(0x7f0000000140)={0x0, 0x2000, 0x4, 0x9, 0xffffffff})
r5 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x41c1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfff}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
getresuid(0x0, 0x0, &(0x7f00000001c0))
fgetxattr(r5, &(0x7f0000000440)=ANY=[@ANYBLOB="b1df7259834b5d12801887fc823552a3794f1675cc87c298e50fc4bf124c1008cb983054769f61390c825abd6a09cde6a725ad7d43e5f5d2482ecaa2302ad989e62d13f7af6ebd01fc10cfcd747e51bc2056d6e2c6fc149a5a04013584f57a8829d7701a3761e07528ae4f9a0de790e5c57420a68f56eaa08805b5b6c19dff0e2ee89dc6a9eca45c8d3d5b08effb4eeb98000b6565c15c5ce5e3bf7af7ab01b1d84f7f52e6c0a7217645bc6837399d68e9e60e73f54a2f776b26f67671592e1b9866dca2525c12ae36028c546bb70bd93f4dccc62f83a338d8765a89d700c34d2e67b3f772672a320aed13f5a4f6518d4c1048d94b436bfdca85cd57ae32f317ba40eedcabe894ffe9f994436fe10e7ed4617384ca2d329a622ffb0ddddbfdad628d7ffa4c559de9f2ef58f5f925f9e1884ff25b53890f11fd3b309fb7747674b25b0512f46176ffcdea1afda8f862c27e9deaf5c5fc46546bca842e6713ec48c6cbc7a9164ee39ad14d71251533672e5bed00000000000000000000"], 0x0, 0x0)
ioctl$sock_inet_SIOCSIFNETMASK(0xffffffffffffffff, 0x891c, 0x0)
ioctl$VIDIOC_S_STD(0xffffffffffffffff, 0x40085618, 0x0)
openat$pfkey(0xffffffffffffff9c, &(0x7f0000000200)='/proc/self/net/pfkey\x00', 0x10800, 0x0)
unshare(0x40000000)
getsockname$netlink(r4, 0x0, &(0x7f0000000080))
ioctl$VHOST_SET_FEATURES(r3, 0x4008af00, &(0x7f0000000080)=0xbfffffd)
lchown(&(0x7f0000000000)='./file0\x00', r0, r1)
clone(0x8000000002000fe, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f00000005c0)=ANY=[@ANYBLOB="5b64a52aee26213a5d0000004e552769ee2841cebd859def66aa15059c8209b4b615ea41af88621036ba45b31217711e333c54ef582ae61b0c6cfbf751c22ae8afdfcc52fdc1cbb15341beae741c9a31daa1fd9b9943b372b0e024f087f7dd57aa882c1807a9b76f5f33625b8e1ce61055d200709691807f8cee7f0ba49fd359f64dd241e41930270e4adf34aed91cbd111f6f96db3548bb187a767cd48260991f9bd6f094fb35a4243e074b110f45bebdde0aeb390bc4c2f87c21913e3dee701b150000008a11853749dc7f12089e65ce64e055ec"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  341.479959][T27026] binder: 27025:27026 ioctl 541b 200002c0 returned -22
[  341.487833][ T7807] binder: undelivered transaction 993, process died.
[  341.532608][ T7807] binder_release_work: 14 callbacks suppressed
[  341.532615][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
[  341.559699][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
[  341.581687][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
15:41:54 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x1000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  341.607964][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
15:41:54 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0xde394ee1e07f0000)

15:41:54 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xff', 0x0, 0x0)

[  341.755361][T27172] binder: BINDER_SET_CONTEXT_MGR already set
15:41:54 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x5421, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  341.805034][T27172] binder: 27165:27172 ioctl 40046207 0 returned -16
[  341.841339][ T2597] binder: send failed reply for transaction 997 to 27025:27026
15:41:54 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xff', 0x0, 0x0)

[  341.889051][T27190] binder: 27165:27190 transaction failed 29189/-22, size 24-0 line 2994
[  341.897188][T27033] IPVS: ftp: loaded support on port[0] = 21
[  341.902824][ T2597] binder: send failed reply for transaction 998 to 27165:27190
[  341.911333][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
15:41:54 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
getresgid(&(0x7f0000000300), &(0x7f0000000340), &(0x7f0000000380))
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO(r2, 0x402c5342, &(0x7f0000000000)={0xb56, 0xfffffffffffffff9, 0x1, {0x0, 0x989680}, 0x2, 0x6})
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
ioctl$VIDIOC_TRY_EXT_CTRLS(r2, 0xc0185649, &(0x7f00000002c0)={0x9c0000, 0x4, 0x80000001, [], &(0x7f0000000140)={0x990964, 0x3, [], @p_u8=&(0x7f0000000080)=0x8}})

[  341.987121][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
[  341.997616][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
15:41:54 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0xe0ffffffffffffff)

15:41:55 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x2000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  342.029591][ T2597] binder: release 27165:27190 transaction 1004 out, still active
[  342.061484][ T2597] binder: unexpected work type, 4, not freed
15:41:55 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:55 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x5450, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  342.153100][ T2597] binder: send failed reply for transaction 1003 to 27233:27235
[  342.194543][T27364] binder: BINDER_SET_CONTEXT_MGR already set
[  342.200583][T27364] binder: 27362:27364 ioctl 40046207 0 returned -16
[  342.209990][ T2597] binder: send failed reply for transaction 1004, target dead
[  342.242082][T27373] binder: BINDER_SET_CONTEXT_MGR already set
[  342.271450][T27373] binder: 27372:27373 ioctl 40046207 0 returned -16
[  342.272655][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
[  342.297113][ T2597] binder: send failed reply for transaction 1008 to 27362:27364
[  342.306916][ T2597] binder: undelivered transaction 1011, process died.
[  342.313932][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
15:41:55 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x18000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  342.472798][T27459] binder: BINDER_SET_CONTEXT_MGR already set
[  342.478843][T27459] binder: 27456:27459 ioctl 40046207 0 returned -16
[  342.526185][T27477] binder_alloc_new_buf_locked: 2 callbacks suppressed
[  342.526194][T27477] binder_alloc: 27456: binder_alloc_buf, no vma
[  342.545009][T27477] binder: 27456:27477 transaction failed 29189/-3, size 24-8 line 3147
[  342.555168][ T2597] binder: release 27456:27459 transaction 1013 out, still active
[  342.567069][ T2597] binder: unexpected work type, 4, not freed
[  342.582567][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
[  342.588821][ T2597] binder: send failed reply for transaction 1013, target dead
[  342.602216][ T2597] binder: undelivered transaction 1016, process died.
15:41:55 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
lsetxattr$trusted_overlay_upper(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='trusted.overlay.upper\x00', &(0x7f0000000240)={0x0, 0xfb, 0xd8, 0x1, 0x100000000, "2a8062c3be187f7b072b329c7f8ace96", "1c54e814f27ef1b8de54ecb2ef4ee3ec5cc35e36b76a3e35366526e61f82215e8ba8f52b8a3361e02ce5487949ab4e3a758a38ed18200886b78956d10b2a67dab649fc6c640d0aa9d919fe3e6727cafb5882625e911336cfd0fc888a3b7c7984dd62c2d069f0161e0088c913d4bba768640de06c810b7c5405e934640b6374d032cdba3a9caa6a49e9119fb0b2c90e893dc9759b453d4632e17ac07dcfec69424e18e10faceedfe492707024af06619452215a4df3d159e62f23def283f73ebabc833a"}, 0xd8, 0x2)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:55 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0xe803000000000000)

15:41:55 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xf9', 0x0, 0x0)

15:41:55 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$VIDIOC_LOG_STATUS(r2, 0x5646, 0x0)
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:41:55 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x5452, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:41:55 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xfdfdffff, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  342.772856][T27495] binder: BINDER_SET_CONTEXT_MGR already set
[  342.778908][T27495] binder: 27494:27495 ioctl 40046207 0 returned -16
15:41:55 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x7f', 0x0, 0x0)

[  342.826092][T27495] binder: BINDER_SET_CONTEXT_MGR already set
[  342.840865][ T7767] binder: release 27494:27495 transaction 1020 out, still active
15:41:55 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x5460, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  342.876462][T27495] binder: 27494:27495 ioctl 40046207 0 returned -16
[  342.932805][ T7767] binder: unexpected work type, 4, not freed
[  342.953397][ T7767] binder: send failed reply for transaction 1019 to 27489:27492
15:41:55 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xfffffdfd, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  342.987945][ T7767] binder: send failed reply for transaction 1020, target dead
[  343.011503][ T7767] binder: undelivered transaction 1023, process died.
[  343.026731][ T7767] binder: send failed reply for transaction 1024 to 27494:27540
15:41:56 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x8c', 0x0, 0x0)

[  343.082866][T27651] binder: BINDER_SET_CONTEXT_MGR already set
[  343.107713][T27651] binder: 27646:27651 ioctl 40046207 0 returned -16
15:41:56 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
getgroups(0x4, &(0x7f0000000000)=[0xffffffffffffffff, 0x0, 0xee01, <r2=>0x0])
fchownat(0xffffffffffffffff, 0x0, 0x0, r2, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
syz_open_dev$media(&(0x7f0000000040)='/dev/media#\x00', 0x4, 0x8000)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:41:56 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0xf020120800000000)

[  343.156382][T27748] binder_alloc_mmap_handler: 4 callbacks suppressed
[  343.156399][T27748] binder_alloc: binder_alloc_mmap_handler: 27646 20001000-20004000 already mapped failed -16
[  343.208167][ T7752] binder: release 27614:27615 transaction 1028 out, still active
[  343.238103][T27651] binder: BINDER_SET_CONTEXT_MGR already set
[  343.282039][T27651] binder: 27646:27651 ioctl 40046207 0 returned -16
[  343.282635][ T7752] binder: send failed reply for transaction 1028, target dead
[  343.299239][T27827] binder: 27646:27827 transaction failed 29189/-22, size 24-8 line 2994
[  343.317588][ T7752] binder: send failed reply for transaction 1029 to 27646:27651
15:41:56 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0xca7f74cdf2ec47f0, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:56 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x40046205, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:41:56 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xf6', 0x0, 0x0)

15:41:56 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x100000000000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  343.331599][ T7752] binder: undelivered transaction 1032, process died.
15:41:56 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xfe', 0x0, 0x0)

[  343.448309][T27847] binder: BINDER_SET_CONTEXT_MGR already set
[  343.477006][T27847] binder: 27840:27847 ioctl 40046207 0 returned -16
[  343.509053][T27909] binder_alloc: binder_alloc_mmap_handler: 27840 20001000-20004000 already mapped failed -16
[  343.555897][T27847] binder: BINDER_SET_CONTEXT_MGR already set
[  343.580967][T27847] binder: 27840:27847 ioctl 40046207 0 returned -16
[  343.597381][ T7752] binder: undelivered transaction 1039, process died.
15:41:56 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x40046207, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:41:56 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='cephR', 0x0, 0x0)

[  343.605671][ T7752] binder_release_work: 25 callbacks suppressed
[  343.605676][ T7752] binder: undelivered TRANSACTION_COMPLETE
[  343.619317][T27951] binder: 27840:27951 transaction failed 29189/-22, size 24-8 line 2994
[  343.639628][T27909] binder: 27840:27909 transaction failed 29189/-22, size 24-0 line 2994
[  343.701468][ T7752] binder: undelivered TRANSACTION_COMPLETE
[  343.724372][T27958] binder: BINDER_SET_CONTEXT_MGR already set
[  343.741448][ T7752] binder: undelivered TRANSACTION_COMPLETE
15:41:56 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x200000000000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  343.752845][T27958] binder: 27956:27958 ioctl 40046207 200002c0 returned -16
15:41:56 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$VIDIOC_S_PRIORITY(r2, 0x40045644, 0x3)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
ioctl$PPPIOCGFLAGS1(r2, 0x8004745a, &(0x7f0000000000))

15:41:56 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\"', 0x0, 0x0)

15:41:56 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0xffffffff00000000)

15:41:56 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
r0 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x3, 0x400)
connect(r0, &(0x7f0000000080)=@ipx={0x4, 0x3, 0x4, "b3fb0089448e", 0x7}, 0x80)
clone(0x800, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[dN:]:/llb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  343.883504][T28108] binder: BINDER_SET_CONTEXT_MGR already set
[  343.918771][T28108] binder: 28093:28108 ioctl 40046207 0 returned -16
15:41:56 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x40046208, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  343.985708][T28181] binder_alloc: binder_alloc_mmap_handler: 28093 20001000-20004000 already mapped failed -16
[  344.022818][   T17] binder: undelivered transaction 1047, process died.
[  344.043714][   T17] binder: undelivered TRANSACTION_COMPLETE
15:41:57 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  344.085744][T28186] libceph: resolve 'dN' (ret=-3): failed
[  344.091436][T28186] libceph: parse_ips bad ip '[dN:]'
[  344.111054][T28108] binder_alloc: 28093: binder_alloc_buf, no vma
[  344.141147][T28108] binder: 28093:28108 transaction failed 29189/-3, size 24-8 line 3147
[  344.160204][T28191] binder: BINDER_SET_CONTEXT_MGR already set
[  344.193427][T28191] binder: 28190:28191 ioctl 40046207 0 returned -16
[  344.200266][ T7767] binder: undelivered TRANSACTION_COMPLETE
[  344.206948][T28181] binder_alloc: 28093: binder_alloc_buf, no vma
[  344.213361][ T7767] binder: undelivered TRANSACTION_COMPLETE
[  344.235856][T28181] binder: 28093:28181 transaction failed 29189/-3, size 24-0 line 3147
15:41:57 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0xffffffffffffffff)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:41:57 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x1800000000000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:57 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = syz_open_dev$media(&(0x7f0000000000)='/dev/media#\x00', 0x80000000, 0x4000)
write$P9_ROPEN(r0, &(0x7f0000000080)={0x18, 0x71, 0x1, {{0x40, 0x3, 0x7}, 0x2}}, 0x18)

15:41:57 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x40049409, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:41:57 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  344.424623][T28409] binder_alloc: binder_alloc_mmap_handler: 28407 20001000-20004000 already mapped failed -16
[  344.511090][T28419] binder: BINDER_SET_CONTEXT_MGR already set
15:41:57 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0xffffffffffffffe0)

[  344.557770][T28419] binder: 28418:28419 ioctl 40046207 0 returned -16
[  344.557910][T28408] binder: BINDER_SET_CONTEXT_MGR already set
15:41:57 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x1, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$RTC_PLL_GET(r2, 0x801c7011, &(0x7f0000000000))
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  344.603800][ T7767] binder: release 28407:28408 transaction 1052 out, still active
[  344.614205][T28433] binder_alloc: 28407: binder_alloc_buf, no vma
[  344.630582][ T7767] binder: unexpected work type, 4, not freed
[  344.652525][T28408] binder: 28407:28408 ioctl 40046207 0 returned -16
[  344.656080][T28433] binder: 28407:28433 transaction failed 29189/-3, size 24-8 line 3147
[  344.675500][ T7767] binder: undelivered TRANSACTION_COMPLETE
15:41:57 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = openat$audio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/audio\x00', 0x2000, 0x0)
ioctl$RTC_ALM_READ(r0, 0x80247008, &(0x7f0000000080))
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  344.705217][ T7767] binder: undelivered TRANSACTION_COMPLETE
[  344.733587][ T7767] binder: send failed reply for transaction 1052, target dead
15:41:57 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:57 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x4018620d, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:41:57 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xfdfdffff00000000, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  344.884978][T28639] binder: BINDER_SET_CONTEXT_MGR already set
[  344.914174][T28643] binder: BINDER_SET_CONTEXT_MGR already set
[  344.920942][T28639] binder: 28636:28639 ioctl 4018620d 200002c0 returned -16
15:41:57 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
getresuid(&(0x7f0000000140), &(0x7f00000002c0), &(0x7f0000000300)=<r4=>0x0)
getresgid(&(0x7f0000000340), &(0x7f0000000380)=<r5=>0x0, &(0x7f00000003c0))
mount$fuse(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='fuse\x00', 0x0, &(0x7f0000000400)={{'fd', 0x3d, r2}, 0x2c, {'rootmode', 0x3d, 0x1000}, 0x2c, {'user_id', 0x3d, r4}, 0x2c, {'group_id', 0x3d, r5}, 0x2c, {[{@default_permissions='default_permissions'}, {@blksize={'blksize', 0x3d, 0x1c00}}, {@default_permissions='default_permissions'}, {@max_read={'max_read', 0x3d, 0x5}}, {@max_read={'max_read', 0x3d, 0x539a}}], [{@smackfstransmute={'smackfstransmute', 0x3d, '/dev/kvm\x00'}}]}})
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  344.934985][T28643] binder: 28638:28643 ioctl 40046207 0 returned -16
[  344.975131][T28662] binder_alloc: binder_alloc_mmap_handler: 28638 20001000-20004000 already mapped failed -16
[  345.023656][T28643] binder: BINDER_SET_CONTEXT_MGR already set
15:41:58 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x4020940d, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:41:58 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KDGKBMODE(r2, 0x4b44, &(0x7f0000000000))
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  345.075519][T28643] binder: 28638:28643 ioctl 40046207 0 returned -16
[  345.094415][    T5] binder: undelivered TRANSACTION_COMPLETE
15:41:58 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\xff', 0x0, 0x0)

[  345.151759][    T5] binder: undelivered TRANSACTION_COMPLETE
15:41:58 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x300, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:58 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000100)=ANY=[@ANYBLOB="2f6465762f6e62643000d4bae0daeda51e652a5880551bc2698ec487c262e82ac02c962d57357f5a84332de5b9225371fd32d9d8599d2c09fbbf57e8012d7e2d51dcd2d3cf3dba7725424c5857452e3af2babb68981bd5810eb66086cea2e2d412"], &(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='mynix\x00', 0xfffffffffffffff9, 0x0)

[  345.298092][T28905] binder: BINDER_SET_CONTEXT_MGR already set
[  345.327923][T28905] binder: 28901:28905 ioctl 40046207 0 returned -16
15:41:58 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  345.360595][T28959] binder: 28901:28959 got new transaction with bad transaction stack, transaction 1069 has target 28862:0
15:41:58 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x200, 0x0, 0x0, 0x8, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x1], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:41:58 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x402c5828, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  345.531775][T28959] binder_alloc: binder_alloc_mmap_handler: 28901 20001000-20004000 already mapped failed -16
15:41:58 executing program 1:
mkdir(&(0x7f0000000180)='./file0/file0\x00', 0x20)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x1, 0x2)
write$P9_RRENAMEAT(r0, &(0x7f0000000080)={0x7, 0x4b, 0x1}, 0x7)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  345.616291][T29144] binder: BINDER_SET_CONTEXT_MGR already set
15:41:58 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x4400, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
getsockopt$inet_IP_IPSEC_POLICY(0xffffffffffffffff, 0x0, 0x10, &(0x7f00000002c0)={{{@in=@multicast1, @in=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r2=>0x0}}, {{@in=@initdev}, 0x0, @in=@initdev}}, &(0x7f0000000040)=0xe8)
ioctl$TUNSETIFINDEX(r1, 0x400454da, &(0x7f0000000080)=r2)
openat$dsp(0xffffffffffffff9c, 0x0, 0x42000, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  345.691218][T29144] binder: 28901:29144 ioctl 40046207 0 returned -16
[  345.691245][    T5] binder: release 28901:28905 transaction 1075 out, still active
[  345.691265][    T5] binder: unexpected work type, 4, not freed
15:41:58 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0x402c582a, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:41:58 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
prctl$PR_SET_NAME(0xf, &(0x7f0000000000)='/dev/kvm\x00')
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x1)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_GET_DEVICE_ATTR(r2, 0x4018aee2, &(0x7f0000000140)={0x0, 0x10000, 0x4c, &(0x7f0000000080)=0xc1cb})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
setsockopt$inet_dccp_buf(r2, 0x21, 0xc, &(0x7f00000002c0)="6f93a1095cbfe350f8511788b32746390acb9229a67c36fda6adb097e1e92fa2be47611e1a5ff5cd215d49d57c4ae13e7167c2b3b9ae2d7687be6fb8500f6ff57922658c1d25ddef610aa00fd6a94fc147e36b610f0047406ff7680a94df89005c5dadd74826a8295111d67707cca7098f5326855c66b9d5827f4da56b6beac5273fbe95c2423c614bb5b94ea0b5e7aa2334f9978770602022610c895eafe9f3f032eb7cd6e13c27464be96da4eead6e0b6ccf9ebf96e7518314c2337584a1cb9af04771bbfb17f8a347e8400173aa43c108de6b06c6928318d967df994ad8b2d59a2abd7003a387b9e7aba8cee522f5caa9683d10af1e4d88390512cfd8c2434d35d6858da1f19d7c6b636d15c74bb9c0b1b5cd8c5c84a8146276001ea3317e9cd7f155eb7f28cc501618eb12db69094cea1c08b9f5e80b4ecea71f05c194ceb642144d5d1b6b1a84f39c5127b1c3d232bfbde7e115e5ab3840a22b0e11f15ea56fad9db86c481424608164dcdbd0919f585c6b8c44a60c9385073406768fa4c13cdd2a7978d340e28e12ba607dda3496006f309e216e6755ce5473c266f37dc9c61dea4a8ac1ac97d712822b97138f75b5cf2e90de33184a95b945e34ed5bda694bb36d7bf8cf613f041c841bd7a99840b8c2814826a977dd38882cc8a6d7b054f022a2f2111af357793f11f4df2b282de55e0f426243c281db2c092bf9a69f8ea6acfda3561fee2634f7639f10520aa3af60a1e055f79c16861fb5057c0d3d0c35980f71c252ecfa8548d56af6d88279b28dfcdafbe3943ed9d00ac08f177ff9ce851e5ef3c3301e75f23f1001983368c8afe3ab423029093c1253536323266d4c91aa6c466ddfc50c95653554bfb293899541aee6aefc1d4f7624d0c7e8fd9007676ca8211c869dd5b847fe8b5000b84f096d9a7ef5aff524762cad0735457fc8c8d567b10d071f5de2a1c11283b6134272cea91ca31a4ffe1a761b59770ed238d18553808842a200dc1128b586511cc1a179d91950f756195ac342b82a1d842a14e6b50e4b54d36212937b33491b0fee7899a904134114100f1a00941e3e46d5b2bc1314d6a88128a56af402ea6d5c7892965c187e412a497c4fbdabc9f10f2abb20636fe03c0aaa8636efb9b81dcaf2e60468aa03d073787eed82f624222525999e370377820ef956be5cffebb2168daf901043dc46d07f92efbb34467b90d1217a02b519f6df300d7ec80f0f2e41ba155772a6c7a3f7250e7f984d3e8d31a8d84d342baba05dabf093db716ca79f609306cb28e5f9711fd604613b66b431fd14db245c1734e9ca36e148da2a51414e36ea23b2649101421ec3c0d6fceab0fd2e09932a5ee912564be83314637c84a8e1a5cfb459b0a32551337a12f1aa1eef7939070d1779e881cf62a0e5f19a247733f6fd9b73984a1a9e3902b31fe57cde931145c3dd80b23c32c88b499b699b49beb0af54a980041576ea485fdd43a91fe61e9f2b79bd5536dd882757341ab9c1bc03470ce7bd6492c75eedc76a0d1ded95d815839d6b49b28a73bcae1e42177324ebf07ac6095d3af282b8038f7a68b38b42f62021f27bc7d331f01d3efa2af18301d00a51207cfee512eac54c1b53d9b99729c593c239400a697660cfa84fbfa5a34927cfea7a2da6c122f2e15676247ef1fa8e69047f634ee615f97edf8cd1e0b02d54752060fc1d9a546c0097add2f8a3209192399d96b7442870999064463ecce032167c38987b1cb01c020373ec1589d6ec3ae7965b7d4fbeca23a9e9285d13a7fcbd0cae5eae6c69d63b7152fd4cabb80a9292f62cbc6f5b86692337ffad3c2df8de1d8edca25e1202486d926ccf024127974b90e0369f9fdea0fa154a89cf27e022dfc6a00a10304174c844dea861118251bb2f8736428236d269fb86874edc28c4a17b58cc9b17daec6527ca3f47f0d72347220295f6959260dbf30b59e75b64614c3be81780ddca1e3e24e611e671b0366bdb0325d4cc92e3070e49de22313da6074ab83d8d6f9a92e4cdd95ddcb6c0a9ced3d0ebf3b11ea507e415c48f35c6d5397412430a1a5c751fa0ae5be375374b54607e6ae5a9539a4241b33a6b59f835995eac165f81570dcb493c8372f89bd27418392c568e1cc3a16416e2d0a2bce5bc076c5fde8b258e5596fe03716fcf3196d6e53ff74694377cbf99d7706e2caba3d504f07d3648711a1065f930667cd1f063cab4d572857edd1674129ec69ae83a60e213a0b29188cfd98e7390cc3f6a0b518602ab0621db994f88d5a5fc851aabc5bdb038f5a21c5f488e97cd02b9b976edbe1147e4a33477bed67ade9c9a57276ca8ecee4672e609ebd919e912d511b68309704ee811d4c80fd0e968e3597dab0e925213ac369ff0f49411e3a5de98efb9d52bfa3b7decaa67f2b55e478cc9f709d663a40730891dbb7f58baaf57b95101474433274956901133b02bfdd667c843559155baf57efe2c0b5a6430edca7ee969158cc0510f4d8aeeefdc9ab8865ca1cefa5f497f7349c5d308ed5f0bc1651f464265c80a050b2777be20d5e4efa282e47f9463472bd55fb83d08020056494a8c5918fddfd8e5605f22e9628ce91a88eee774f18488f2b92bfde98b01827e85de31d27ad63b61e836922b9d794c085a0ff27c7131933e869c248da09f1800c8821d1bcf6ed5544ee5cab5b5e0c74843801c335a2d10d6d48de8cbf633d5e80793488cbcf76cfb4475a831d935a4e8668d19a0805cea1996b831fafb45049d2234d4e44a8e909b777bd2fe1c7a800448866033c517e30464974aa6356ad3fbf99fccf936680c7c190556b42f1093f54928d821fd35877b76331a21ec343232cb792a5de89e0c7d380a3d8b91d6f5052726e675175345dd16e8bba69d44875a3d8db2bb6dee77575f8a623ea43445358762506cc24d29b5b9736b335821395010fdda28f80d997d889a1386f047a9b4e550dbea7ffbab2221f3c21b7544f10143b5356581c525ed09abfca0a670bd89eae5accd07f92bd26feba801eadf1022ed9a073900a8be52c86e0c92aa5c32fd15b90f53544088f5ba3826213297e13b0308658ec8c90a275af71cbf56de7e46da2b43fb1e45b74679c81664713341067e79282fd26bf629926c5e3e8015e0da4ae27dda8656dde91a1f48e5a7d5f16dc259de44d7098f91eaef75e7408c924094e67e036c1c61f85522fe698940d726feb967b043d20d974c6f9bfd8b59df40c51d8cd684889ef11159fde36a2ac6aeda431111f303fdaddfcc370323674b81309121c9ebe70c32d6b84511866d85468cdba577b618dd3ae969af5909bfe98ca5b243851e66fbc588d2fe4474cab6831dfadd9c3b8f39260101c05cd40ba192c04e147ee4f50efbc012895bbc67d5dcd02d5b74c71d04434a1e0c8de6da71a3176d2e6a803c7e1e1b05661e92f0957d796ed20d233d25e944dd2188be2ba26a19fa7d570341cbc34358d0a7b0e94d04251c0dcec159a7af7d1bf3a3edcd4b9b0660e5a96175aa8cb5c6fa0ecda826b95c67fe4d495bab2cced4d4fec67f1e34fdde9d2871e7d0641fd3ab6c1b2674a9d3dd733afad907b66dfd64c7af3e293da41859f81d2dfb944f8e5a97429fe6f185a9f1c7552514167cf4481a5dea3f0f354a86d629d61852451a726c7e07534510fd9a6821f86315382d7c64222a52ce7f550da2ad4d94537e039b8b8d4be2a505d0103c232ad433cfb66e802b69cfeda9f47ff4ef715c500eccb86da15b55df208309726d5c5c6e8632413d8ff1ad5d3f209a1dc1f0d2bdc6a55164af202a9290e196166819aa06a83e9c66664ca58ace554941f8de5f47ed06f8a6ddaf3cf62f4f500f1c293ed56f4ff987187e6337e9d1d915c7ed2c079b251dee72fde039350d99f6421fc862eab269a45b00953c626bbb528dd2516564f5061786b7aa214d536d55f17c1f2b5b3c83024a896d5ec527d88170b21f818e8461d60ae034a7b6dc482c5403478e00adbceaad237a31e40384882e330e3e25b5d9ffe04f580169039f6ddfb9780341bb01b2f90047e82b9f00f68493f0b8483696f5b4f9515187d7054174aad4e0b319f126d55c9cb7c292a694c4c22be58dbd99d8aae218aa30cb066308ed2f3c2c45cfebc4ecdc8660524cf569698f2326cb43d79b15482a28d49840369f2bbc27660e5b1488bcc044e476a48d63df22e9968301212ccfb375abf184c131f46059ad63cca27f41fd4433ce44f42b250ee7f89bb5eefe4b33553556a022cc30662597a304b8f4a0f79653782a22c03de37850d0fca4f08e1eab3468ee8fa3bb9632867db4333921c42bcaba60a7bd4f52843be443eb978d926ad2e699db28519c9d72285fa3568b4b089c75a9920e8ffd550abc8a82c3dcd699d240cde3d95fdd030ab4a07f0e8445e0062c1155b01d97d6ed171cd97dba2bc5aeda0bdf9c5a6ea5bcfe4623ee36f579d1cf127f604f246f1da133b6bc5e1261c46a0bc9e8d898d9d5c7f7c2e9f14df4b7a13039114f6456aeb23de31821fd83faba7eedcc8ec750933f6601ede3b77f2677358dcae299bfc2e18ba7073db290552099df51a7aee95826ae6af10a79b7e590e0f62d92032d021b1517f84e72704db62b915089ab3139262ba78c4b7a63ff531890f589f71b770c4234e38731d93c79e043dcc6e61204b747494a7b5c73f48661bceefba8ad3b2d5b63603f41138bc9d699d682ae927db2fcb25ecf776433e8ae76f73fecc1bb50ab4d838fb058a292b7c96a617abfbeaf179b28004f325524de90353ec4c219123b58193fd1a94d5c1d9d64eb68d469ff61a646cc7f539e205abdff1de8e3078309365885edd1b20e2325c6fe5fc22bf84e6730fe3215e64c884ed8170e5eb3d5b8471aeb5a41942580e9b114812f5851ab4e3b005d8c84f14f02ee74d6fdf788e45f534f6b9e8477ebe062ab95a3b0e9c6e833cef04546f9e56bfb47255c8320d19073ab3b34ce5899ce2559be48fcfddff1f48ebec4cd331f952083a0667510c130ffa6745efc3f89b7bcb1b16d29d220dae1b3cc265fd10744230fb08c9515e864090df0f8657957a3b15f45461107cfdab56d7384d1c0cdf1bee57aa72e33a1eafd9224bccad41b7aa76d558464b019affe8b2613c0ccc587f74de9cb90bb44081936ab839b43b4825bcb714b4fdd557479ed5b9c53adf3cadcc76fa4b8addaf933e927523a380b731f9bbb5b1b57365fb1938e8a475ba021a5b4535a7eb68b124407880466b430619eb52a19035444c6cb60cb506da57b310758fb7e46753b28f866d5fc6690c0db6d4d2a83fc4dbcc29658b94d6da6e75c2f871ab354f4a083465620b4af42b3ce3484210b247ae3bb81c1aff2d5fe91bb1d89b05d0b2ad0f823e212a98f3c20dc23f7e433a5db22af14b725aac621cd549a5671744eb5892808a4542146f9b058ebc1e908a33380e97e82c5e699467f7535b47c5751262fc82937edc13b0d621e8b5a16b3cd59eb3e3677f6140fd3650104ae88dc90b6e50d272064529da110a25edd6ffe72d7f49e7365aaa01a0d00a37df478bc78ab30c5a3caf0d7662a47da5d7b59ed57a56039b8ab5d5b3ae8bf02a30c5d66bbc6a4c9df71fc311d0f151a93207412098641a3128339ed39355465a06387332b3ebc6df69d0a08bc7b32e02c602d656da82b81e577ba742cb14ecfe946202216f5740548743a6b4b80ccae5a7f5936aba36bd171787c170137819bd542d2d4d0dcb20e96ec03341856e842df9eb908beb6791bf8717e97aace4f0f40faf", 0x1000)

15:41:58 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0xffffff1f, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  345.762963][    T5] binder: send failed reply for transaction 1075, target dead
15:41:58 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  345.893587][T29252] binder: BINDER_SET_CONTEXT_MGR already set
[  345.920764][T29252] binder: 29229:29252 ioctl 40046207 0 returned -16
15:41:58 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
getsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f00000002c0)={{{@in=@multicast2, @in=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r3=>0x0}}, {{@in6=@initdev}, 0x0, @in6}}, &(0x7f0000000000)=0xe8)
r4 = getegid()
fchownat(0xffffffffffffffff, 0x0, r3, r4, 0x2)
r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS(r1, 0xc0045516, &(0x7f0000000040)=0xe09c)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)

[  345.948310][T29375] binder_alloc: binder_alloc_mmap_handler: 29229 20001000-20004000 already mapped failed -16
[  345.965622][T29252] binder: BINDER_SET_CONTEXT_MGR already set
15:41:58 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
getsockname(0xffffffffffffffff, &(0x7f0000000080)=@pppol2tp={0x18, 0x1, {0x0, <r0=>0xffffffffffffffff, {0x2, 0x0, @empty}}}, &(0x7f0000000140)=0x80)
getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(r0, 0x84, 0x1d, &(0x7f00000001c0)={0x5, [0x0, <r1=>0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000240)=0x18)
setsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f0000000280)={r1, 0x3}, 0x8)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
setsockopt$IP_VS_SO_SET_EDITDEST(r0, 0x0, 0x489, &(0x7f0000000380)={{0xff, @initdev={0xac, 0x1e, 0x0, 0x0}, 0x4e21, 0x3, 'none\x00', 0x2, 0x0, 0x36}, {@loopback, 0x4e20, 0x0, 0x3, 0x1, 0x4}}, 0x44)
getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(r0, 0x84, 0x8, &(0x7f0000000000), &(0x7f0000000180)=0x4)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="3d802410010000000000"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
setsockopt$packet_fanout(r0, 0x107, 0x12, &(0x7f00000002c0)={0x9de, 0x7, 0x8000}, 0x4)

[  345.992450][    T5] binder: release 29229:29375 transaction 1080 out, still active
[  346.001277][T29252] binder: 29229:29252 ioctl 40046207 0 returned -16
[  346.009812][    T5] binder: unexpected work type, 4, not freed
15:41:59 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0046209, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:41:59 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x2, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  346.038664][    T5] binder: release 29229:29375 transaction 1084 out, still active
[  346.058503][T29429] ceph: device name is missing path (no : separator in =�$
)
[  346.079723][    T5] binder: unexpected work type, 4, not freed
[  346.113104][    T5] binder_send_failed_reply: 10 callbacks suppressed
[  346.113113][    T5] binder: send failed reply for transaction 1079 to 29247:29248
15:41:59 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  346.184851][T29450] binder: BINDER_SET_CONTEXT_MGR already set
[  346.199954][    T5] binder: send failed reply for transaction 1080, target dead
[  346.222897][T29450] binder: 29447:29450 ioctl 40046207 0 returned -16
15:41:59 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
socketpair(0x1b, 0x6, 0xa73d, &(0x7f0000000000))
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  346.245346][    T5] binder_cleanup_transaction: 2 callbacks suppressed
[  346.245354][    T5] binder: undelivered transaction 1083, process died.
[  346.269637][T29589] binder_alloc: binder_alloc_mmap_handler: 29447 20001000-20004000 already mapped failed -16
15:41:59 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="00000000008b3a0000000000"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffffffffffffff, 0x0)

[  346.303439][    T5] binder: send failed reply for transaction 1084, target dead
[  346.318275][T29450] binder: BINDER_SET_CONTEXT_MGR already set
[  346.346585][T29450] binder: 29447:29450 ioctl 40046207 0 returned -16
[  346.384660][ T7756] binder: send failed reply for transaction 1088 to 29441:29442
15:41:59 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc018620b, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  346.397378][ T7756] binder: send failed reply for transaction 1089 to 29447:29589
[  346.427563][ T7756] binder: undelivered transaction 1092, process died.
15:41:59 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x18, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:41:59 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = syz_open_dev$sndpcmp(&(0x7f00000002c0)='/dev/snd/pcmC#D#p\x00', 0x3, 0x400000)
setsockopt$CAIFSO_LINK_SELECT(r2, 0x116, 0x7f, &(0x7f0000000300)=0x2, 0x4)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r3 = accept4(r1, &(0x7f0000000000)=@xdp, &(0x7f0000000080)=0x80, 0x80800)
sendmsg$key(r3, &(0x7f0000000140)={0x0, 0x0, 0x0}, 0x4000)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

15:41:59 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:59 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[N::]:/llb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x800, 0x0)
ioctl$PPPIOCGUNIT(r0, 0x80047456, &(0x7f0000000080))

[  346.593649][T29831] binder: BINDER_SET_CONTEXT_MGR already set
15:41:59 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc018620c, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  346.647899][T29831] binder: 29830:29831 ioctl 40046207 0 returned -16
[  346.710249][ T7756] binder: send failed reply for transaction 1094 to 29719:29721
[  346.718304][T29868] binder_alloc: binder_alloc_mmap_handler: 29830 20001000-20004000 already mapped failed -16
[  346.734990][T29887] libceph: resolve 'N' (ret=-3): failed
[  346.745303][ T7756] binder: send failed reply for transaction 1095 to 29830:29868
[  346.768429][T29831] binder_transaction: 2 callbacks suppressed
[  346.768445][T29831] binder: 29830:29831 transaction failed 29189/-22, size 24-8 line 2994
[  346.773519][T29887] libceph: parse_ips bad ip '[N::]'
[  346.790174][ T7756] binder: undelivered transaction 1098, process died.
[  346.803667][T29893] binder: BINDER_SET_CONTEXT_MGR already set
15:41:59 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200000000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff81, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x400400, 0x0)
setsockopt$inet_sctp_SCTP_AUTOCLOSE(r2, 0x84, 0x4, &(0x7f0000000000)=0x7ff, 0x39b)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
getpeername(r2, &(0x7f00000002c0)=@pppol2tp={0x18, 0x1, {0x0, 0xffffffffffffffff, {0x2, 0x0, @loopback}}}, &(0x7f0000000080)=0x80)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:41:59 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x1800, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  346.864428][T29893] binder: 29892:29893 ioctl 40046207 0 returned -16
[  346.864449][ T7756] binder_release_work: 24 callbacks suppressed
[  346.864455][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
15:41:59 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:41:59 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000000)={<r2=>0x0}, &(0x7f0000000040)=0xc)
sched_getscheduler(r2)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0xb1aeb5b273ae2f2e, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:41:59 executing program 1:
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000140)=ANY=[@ANYBLOB="38643a020000008488c16ae73a0b41e95e72a7efd1e9e6ef510c346cc669341cb611ccfc89b3649c41572c5ba12fc492dbae0765a74cb343bd353898bb7293f73915ba3e81f597cfd761e102809ff4c5f60dde1a334505138923d78e9912b6ca23e3948b0e0c2f5d2a01aeb40665a20fb063aba698e1dee7a446e9dda1f9621cee48481003f7e1"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = openat$dlm_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-control\x00', 0x20002, 0x0)
ioctl$KVM_PPC_ALLOCATE_HTAB(r0, 0xc004aea7, &(0x7f0000000040)=0x7)
ioctl$VT_SETMODE(r0, 0x5602, &(0x7f0000000080)={0x6, 0x6, 0x4, 0x3, 0x7fff})

[  346.964109][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
[  347.011101][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
[  347.031096][T30083] binder_alloc: binder_alloc_mmap_handler: 30073 20001000-20004000 already mapped failed -16
15:42:00 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0189436, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  347.076984][T30081] binder: BINDER_SET_CONTEXT_MGR already set
[  347.083291][T30081] binder: 30073:30081 ioctl 40046207 0 returned -16
[  347.090120][T30083] binder_alloc: 30073: binder_alloc_buf, no vma
[  347.168987][T30083] binder: 30073:30083 transaction failed 29189/-3, size 24-8 line 3147
[  347.179245][T30147] binder: BINDER_SET_CONTEXT_MGR already set
15:42:00 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
getsockname$packet(0xffffffffffffff9c, &(0x7f0000000000)={0x11, 0x0, <r4=>0x0, 0x1, 0x0, 0x6, @remote}, &(0x7f0000000080)=0x14)
setsockopt$inet_mreqn(r2, 0x0, 0x27, &(0x7f0000000140)={@local, @broadcast, r4}, 0xc)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  347.223963][T30147] binder: 30146:30147 ioctl 40046207 0 returned -16
[  347.224002][ T7807] binder: send failed reply for transaction 1102 to 30073:30081
15:42:00 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x1000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  347.297054][ T7807] binder: undelivered transaction 1105, process died.
15:42:00 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="6c6c621a00"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:00 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  347.367768][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
[  347.410484][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
15:42:00 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc020660b, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  347.475995][T30330] binder: BINDER_SET_CONTEXT_MGR already set
[  347.485530][T30331] ceph: device name is missing path (no : separator in llb)
[  347.511853][T30330] binder: 30302:30330 ioctl 40046207 0 returned -16
[  347.511915][T30333] binder_alloc: 30302: binder_alloc_buf, no vma
[  347.591047][T30333] binder: 30302:30333 transaction failed 29189/-3, size 24-8 line 3147
[  347.592474][T30366] binder: BINDER_SET_CONTEXT_MGR already set
[  347.622258][T30366] binder: 30365:30366 ioctl 40046207 0 returned -16
[  347.629368][T30329] binder_alloc: 30302: binder_alloc_buf, no vma
[  347.635921][T26837] binder: release 30302:30329 transaction 1108 out, still active
[  347.653711][T26837] binder: unexpected work type, 4, not freed
[  347.662192][T26837] binder: send failed reply for transaction 1108, target dead
[  347.672974][T30329] binder: 30302:30329 transaction failed 29189/-3, size 24-0 line 3147
[  347.681750][T26837] binder: undelivered transaction 1111, process died.
15:42:00 executing program 1:
r0 = openat$cachefiles(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/cachefiles\x00', 0x200000, 0x0)
write$UHID_DESTROY(r0, &(0x7f0000000240), 0x4)
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x1000040000, 0x0)
r2 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000600)='TIPCv2\x00')
sendmsg$TIPC_NL_SOCK_GET(r1, &(0x7f0000000180)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x80800}, 0xc, &(0x7f0000000140)={&(0x7f0000000380)={0x200, r2, 0xb01, 0x70bd29, 0x25dfdbfb, {}, [@TIPC_NLA_LINK={0xd8, 0x4, [@TIPC_NLA_LINK_PROP={0x1c, 0x7, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xfffffffffffffae2}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7155}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x13}]}, @TIPC_NLA_LINK_PROP={0x14, 0x7, [@TIPC_NLA_PROP_PRIO={0x8}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0xd728}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz1\x00'}, @TIPC_NLA_LINK_PROP={0x4c, 0x7, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x40000000000}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xc}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0xbb}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x8}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x1b}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x80000000}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x40}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x401}]}, @TIPC_NLA_LINK_NAME={0xc, 0x1, 'syz0\x00'}, @TIPC_NLA_LINK_PROP={0x2c, 0x7, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x5}, @TIPC_NLA_PROP_PRIO={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x2}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7f}]}, @TIPC_NLA_LINK_NAME={0x14, 0x1, 'broadcast-link\x00'}]}, @TIPC_NLA_NET={0x34, 0x7, [@TIPC_NLA_NET_ID={0x8, 0x1, 0x4}, @TIPC_NLA_NET_NODEID={0xc, 0x3, 0x344}, @TIPC_NLA_NET_ADDR={0x8, 0x2, 0x1}, @TIPC_NLA_NET_ID={0x8, 0x1, 0x3}, @TIPC_NLA_NET_NODEID_W1={0xc, 0x4, 0x2}]}, @TIPC_NLA_NODE={0x24, 0x6, [@TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x5}, @TIPC_NLA_NODE_UP={0x4}, @TIPC_NLA_NODE_ADDR={0x8, 0x1, 0x5}, @TIPC_NLA_NODE_UP={0x4}]}, @TIPC_NLA_SOCK={0x20, 0x2, [@TIPC_NLA_SOCK_ADDR={0x8, 0x1, 0x81}, @TIPC_NLA_SOCK_HAS_PUBL={0x4}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0xfffffffffffffffc}, @TIPC_NLA_SOCK_REF={0x8, 0x2, 0x7}]}, @TIPC_NLA_MEDIA={0x3c, 0x5, [@TIPC_NLA_MEDIA_PROP={0x14, 0x2, [@TIPC_NLA_PROP_MTU={0x8, 0x4, 0x80}, @TIPC_NLA_PROP_MTU={0x8, 0x4, 0x7fff}]}, @TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'ib\x00'}, @TIPC_NLA_MEDIA_PROP={0x1c, 0x2, [@TIPC_NLA_PROP_WIN={0x8, 0x3, 0x1}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x7d7}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x13}]}]}, @TIPC_NLA_MEDIA={0x20, 0x5, [@TIPC_NLA_MEDIA_NAME={0x8, 0x1, 'udp\x00'}, @TIPC_NLA_MEDIA_PROP={0x14, 0x2, [@TIPC_NLA_PROP_PRIO={0x8, 0x1, 0x17}, @TIPC_NLA_PROP_WIN={0x8, 0x3, 0x7}]}]}, @TIPC_NLA_BEARER={0x40, 0x1, [@TIPC_NLA_BEARER_PROP={0x2c, 0x2, [@TIPC_NLA_PROP_TOL={0x8, 0x2, 0xfffffffffffffff7}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0xc2}, @TIPC_NLA_PROP_PRIO={0x8, 0x1, 0xf}, @TIPC_NLA_PROP_PRIO={0x8}, @TIPC_NLA_PROP_TOL={0x8, 0x2, 0x6}]}, @TIPC_NLA_BEARER_NAME={0x10, 0x1, @l2={'eth', 0x3a, 'team0\x00'}}]}]}, 0x200}}, 0x4000)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="26429700003a406c6c623a00"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  347.726819][T26837] binder: undelivered TRANSACTION_ERROR: 29189
[  347.738721][T26837] binder: undelivered TRANSACTION_ERROR: 29189
15:42:00 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchmodat(r2, &(0x7f0000000000)='./file0\x00', 0x4)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:00 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:00 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x2000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  347.826603][T30547] ceph: device name is missing path (no : separator in &B�)
15:42:00 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_SET_GSI_ROUTING(r2, 0x4008ae6a, &(0x7f0000000000)={0x3, 0x0, [{0xa0d, 0x5, 0x0, 0x0, @msi={0x8, 0xd8, 0x2}}, {0x81, 0x7, 0x0, 0x0, @irqchip={0xc52, 0x3}}, {0x8, 0x3, 0x0, 0x0, @sint={0x3, 0x287}}]})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:00 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306225, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  347.921555][T30567] binder: BINDER_SET_CONTEXT_MGR already set
[  347.961427][T30567] binder: 30566:30567 ioctl 40046207 0 returned -16
[  347.961487][T30582] binder: BINDER_SET_CONTEXT_MGR already set
15:42:01 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
socket$inet6_sctp(0xa, 0x5, 0x84)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  348.030585][T30582] binder: 30580:30582 ioctl 40046207 0 returned -16
[  348.032281][T30578] binder_alloc: 30566: binder_alloc_buf, no vma
[  348.037498][ T7752] binder: release 30566:30567 transaction 1115 out, still active
15:42:01 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  348.090223][ T7752] binder: unexpected work type, 4, not freed
[  348.120820][ T7752] binder: send failed reply for transaction 1115, target dead
[  348.136454][T30578] binder: 30566:30578 transaction failed 29189/-3, size 24-8 line 3147
15:42:01 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x18000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  348.164505][ T7752] binder: undelivered transaction 1118, process died.
[  348.197155][ T7752] binder: undelivered TRANSACTION_ERROR: 29189
15:42:01 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc030627e, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:01 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f00000002c0)={[0x0, 0xffa3, 0x0, 0x0, 0x0, 0x4000000000, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200], 0x5000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:01 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x20000, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
ioctl$KVM_TRANSLATE(r2, 0xc018ae85, &(0x7f0000000000)={0x5000, 0xd000, 0x8, 0xc14, 0x492})
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  348.339541][T30785] binder_alloc_mmap_handler: 2 callbacks suppressed
[  348.339560][T30785] binder_alloc: binder_alloc_mmap_handler: 30782 20001000-20004000 already mapped failed -16
[  348.366828][T30788] binder: BINDER_SET_CONTEXT_MGR already set
[  348.392647][T30788] binder: 30786:30788 ioctl 40046207 0 returned -16
[  348.421974][T30783] binder: BINDER_SET_CONTEXT_MGR already set
15:42:01 executing program 1:
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = syz_open_dev$vcsa(&(0x7f00000000c0)='/dev/vcsa#\x00', 0x12, 0x400)
openat$random(0xffffffffffffff9c, &(0x7f0000000240)='/dev/urandom\x00', 0x200000, 0x0)
r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000140)='/dev/sequencer2\x00', 0x224002, 0x0)
ioctl$sock_bt_bnep_BNEPCONNADD(r0, 0x400442c8, &(0x7f0000000180)={r1, 0x401, 0x7, "885b566b4c899526304ee66e9462985874b447e79001379186dd5bd1165aa8e31a94011dba11208f70686f8c5b757512d0e69565bb02e8c399ff93ac132d072662bd06e8b7a2bb2b3269ad97a50e4f2e17ddf836eff5304d67cb7f8e73dbf94d14dbac8b810fd98c4a"})
r2 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x100000000, 0x0)
ioctl$DRM_IOCTL_MARK_BUFS(r2, 0x40186417, &(0x7f0000000080)={0x1f, 0x4, 0x6, 0x20, 0x1, 0x5})

15:42:01 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  348.467145][T30783] binder: 30782:30783 ioctl 40046207 0 returned -16
[  348.467268][T30894] binder_alloc: 30782: binder_alloc_buf, no vma
[  348.543239][T30894] binder: 30782:30894 transaction failed 29189/-3, size 24-8 line 3147
[  348.562930][    T5] binder: send failed reply for transaction 1121 to 30782:30783
[  348.584501][    T5] binder: undelivered transaction 1124, process died.
[  348.599313][    T5] binder: undelivered TRANSACTION_ERROR: 29189
[  348.614928][    T5] binder_release_work: 22 callbacks suppressed
[  348.614933][    T5] binder: undelivered TRANSACTION_COMPLETE
[  348.632019][    T5] binder: undelivered TRANSACTION_COMPLETE
15:42:01 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x7e, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:01 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0xfdfdffff, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  348.675740][    T5] binder: undelivered TRANSACTION_ERROR: 29189
15:42:01 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$KVM_S390_UCAS_UNMAP(r2, 0x4018ae51, &(0x7f0000000000)={0xfffffffffffffffd, 0x4, 0xfffffffffffffff9})
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:01 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$KVM_DEASSIGN_DEV_IRQ(r1, 0x4040ae75, &(0x7f0000000000)={0x1, 0x8001, 0x7})
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
fcntl$setlease(r2, 0x400, 0x0)
ioctl$KVM_SET_REGS(0xffffffffffffffff, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0)
ioctl$PERF_EVENT_IOC_REFRESH(r2, 0x2402, 0x65d)

15:42:01 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vcs\x00', 0x0, 0x0)
write$binfmt_script(r0, &(0x7f00000004c0)=ANY=[@ANYBLOB="2321202e2f66696c6530206367726f757027e55d2c202f6465762f696e7075742f6576656e742300202f6465762f6d69646923000a722ff973a07cf7a837b1e8a6dffdbdee66a57afeac908a66237df79c58ea2dd2aa60306cdd8fa30d1ab097519bdfca209c5242060f54256ad05d4742f6569dfca7ed8bf488394294bf0adae85efc5ec0e5d836fd888ba5e9f00899b20d4942d4425f368e835cd87a751e1c8896cce35fbca730d9796dc464a3846f0127fbdad9291174b908ad3645ada81a93e45bacab7f60"], 0x9e)
r1 = syz_open_dev$evdev(&(0x7f0000000080)='/dev/input/event#\x00', 0xe0, 0x101200)
ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000240)={'team0\x00', <r2=>0x0})
ioctl$EVIOCSABS2F(r0, 0x401845ef, &(0x7f00000002c0)={0x647c, 0x8, 0x5, 0x6cd1, 0x100000000, 0x1fdc})
ioctl$sock_inet6_SIOCSIFADDR(r0, 0x8916, &(0x7f0000000280)={@loopback, 0x20, r2})
sendfile(r0, r1, &(0x7f00000000c0), 0xa475)
openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000300)='/dev/cachefiles\x00', 0x200000, 0x0)
r3 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0xf8b8, 0x408000)
ioctl$TUNGETIFF(r0, 0x800454d2, &(0x7f0000000480))
ioctl$SCSI_IOCTL_DOORUNLOCK(r3, 0x5381)
mount(&(0x7f0000000380)=ANY=[@ANYBLOB="5b643a098e9df66c6c623a007817f318d9c974248dcf2157534f3b1e99eb6b2bc083389388cf45195eef19f0807171792e9ce34e44a91ff13f3f26244eed76386bd7c836b9fc33086f6810a1a28830db1237df2d7c9b347fe9e36740e95c89452dfca4d34b485cc0e18a446457d71058ffdd336e9fbc0a10f0f7e5e8544e61ac61176146a5cc891f23270e2d38e87093e2d89ec0298a14b99a3be5078addb8f995d4b57fa9d08e38c48c0d1cc60afbd90c28a07bb3293d4f43a7955caafc1fcad63e84807c5fc99bbb6a0ca04ecc4c85f49ae3f40efc9e455db817e8392d9e3f5497f9c9bb2412a2701541b0984526a40b1fe9b7d124cd7e03c43fc05d29"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:01 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  348.762932][T31109] binder: 31108:31109 got new transaction with bad transaction stack, transaction 1127 has target 31108:0
[  348.828542][T31113] binder: BINDER_SET_CONTEXT_MGR already set
[  348.842702][T31109] binder: 31108:31109 transaction failed 29201/-71, size 0-0 line 3044
[  348.862516][T31113] binder: 31112:31113 ioctl 40046207 0 returned -16
[  348.900642][T31126] binder_alloc: binder_alloc_mmap_handler: 31112 20001000-20004000 already mapped failed -16
[  348.931631][T31113] binder: BINDER_SET_CONTEXT_MGR already set
[  348.959876][T31113] binder: 31112:31113 ioctl 40046207 0 returned -16
[  349.032993][    T5] binder: release 31112:31113 transaction 1129 out, still active
[  349.055792][    T5] binder: unexpected work type, 4, not freed
15:42:02 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0xfffffdfd, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:02 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$GIO_CMAP(r2, 0x4b70, &(0x7f0000000080))
ioctl$TIOCGPGRP(r2, 0x540f, &(0x7f0000000000)=<r3=>0x0)
ioctl$sock_FIOSETOWN(r2, 0x8901, &(0x7f0000000040)=r3)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
sendto$rxrpc(r2, &(0x7f0000000140)="78f76791269d0a88583d6a8d6de912", 0xf, 0x20000010, &(0x7f00000002c0)=@in6={0x21, 0x2, 0x2, 0x1c, {0xa, 0x4e22, 0x3fff80000000000, @remote, 0x400}}, 0x24)
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

15:42:02 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:02 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x2, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  349.084182][    T5] binder: undelivered TRANSACTION_COMPLETE
[  349.121142][    T5] binder: undelivered TRANSACTION_COMPLETE
15:42:02 executing program 1:
mkdir(&(0x7f0000000000)='./file0\x00', 0x186)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vsock\x00', 0x0, 0x0)
ioctl$IOC_PR_PREEMPT(r0, 0x401870cb, &(0x7f00000000c0)={0x4800000, 0x101, 0x1ff})

[  349.171170][    T5] binder: send failed reply for transaction 1127 to 31108:31109
15:42:02 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$KVM_REINJECT_CONTROL(r2, 0xae71, &(0x7f0000000080)={0x7})
time(&(0x7f0000000140))
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x1)
r3 = openat$cgroup_ro(r2, &(0x7f0000000000)='memory.eves\x00\x00\x00', 0x0, 0x0)
setsockopt$inet_sctp_SCTP_I_WANT_MAPPED_V4_ADDR(r2, 0x84, 0xc, &(0x7f00000002c0)=0x6, 0x4)
fchownat(0xffffffffffffffff, &(0x7f0000000300)='./file0\x00', 0x0, 0x0, 0x0)
connect$netlink(r3, &(0x7f00000003c0)=@kern={0x10, 0x0, 0x0, 0x8000000}, 0xc)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
unlinkat(r2, &(0x7f0000000400)='./file0\x00', 0x200)
ioctl$DRM_IOCTL_GET_STATS(r4, 0x807c6406, &(0x7f0000000340)=""/105)
ioctl$PPPIOCSMRU(r2, 0x40047452, &(0x7f0000000040)=0x7fff)
ioctl$KVM_RUN(r4, 0xae80, 0x0)

[  349.222113][    T5] binder: send failed reply for transaction 1129, target dead
[  349.224690][T31345] binder_alloc: binder_alloc_mmap_handler: 31339 20001000-20004000 already mapped failed -16
[  349.255558][T31347] binder: BINDER_SET_CONTEXT_MGR already set
[  349.267090][    T5] binder: undelivered transaction 1132, process died.
[  349.289564][T31347] binder: 31338:31347 ioctl 40046207 0 returned -16
[  349.299895][T31340] binder: BINDER_SET_CONTEXT_MGR already set
[  349.305922][    T5] binder: send failed reply for transaction 1133 to 31112:31126
[  349.325756][T31340] binder: 31339:31340 ioctl 40046207 0 returned -16
[  349.325782][    T5] binder: undelivered TRANSACTION_COMPLETE
[  349.332671][T31347] binder_alloc: 31339: binder_alloc_buf, no vma
[  349.332708][T31347] binder: 31338:31347 transaction failed 29189/-3, size 0-0 line 3147
[  349.353933][T31357] binder_alloc: 31339: binder_alloc_buf, no vma
[  349.358900][    T5] binder: undelivered TRANSACTION_COMPLETE
[  349.385236][   T17] binder: release 31339:31340 transaction 1137 out, still active
[  349.410522][T31340] binder_alloc: 31339: binder_alloc_buf, no vma
[  349.426910][   T17] binder: unexpected work type, 4, not freed
[  349.450012][   T17] binder: undelivered TRANSACTION_COMPLETE
[  349.458078][T31357] binder: 31339:31357 transaction failed 29189/-3, size 24-8 line 3147
[  349.487927][   T17] binder: undelivered TRANSACTION_COMPLETE
15:42:02 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  349.497612][T31340] binder: 31339:31340 transaction failed 29189/-3, size 24-0 line 3147
[  349.514396][   T17] binder: send failed reply for transaction 1137, target dead
15:42:02 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x3, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:02 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x400000, 0x0)
ioctl$SG_EMULATED_HOST(r0, 0x2203, &(0x7f00000000c0))
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  349.561335][   T17] binder: undelivered transaction 1140, process died.
15:42:02 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x100000000000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:02 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
ioctl$VIDIOC_SUBDEV_ENUM_DV_TIMINGS(r2, 0xc0945662, &(0x7f0000000000)={0x3, 0x0, [], {0x0, @bt={0x4, 0x7, 0x0, 0x3, 0x7, 0xfffffffffffffffa, 0xff, 0x0, 0xffffffff, 0xce, 0x71d, 0x3a, 0x9, 0x7fffffff, 0x0, 0xf}}})
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$TUNSETOFFLOAD(r2, 0x400454d0, 0x4)
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  349.664961][T31569] binder: 31566:31569 unknown command 64
[  349.692130][T31569] binder: 31566:31569 ioctl c0306201 200002c0 returned -22
15:42:02 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
fstat(r2, &(0x7f0000000340)={0x0, 0x0, 0x0, 0x0, <r3=>0x0})
getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000140)={0x0, 0x0, <r4=>0x0}, &(0x7f00000003c0)=0xc)
chown(&(0x7f0000000080)='./file0\x00', r3, r4)
r5 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
getsockopt$packet_buf(r5, 0x107, 0xf, &(0x7f00000002c0)=""/128, &(0x7f0000000000)=0x80)
ioctl$KVM_RUN(r6, 0xae80, 0x0)

[  349.716760][T31573] binder: BINDER_SET_CONTEXT_MGR already set
[  349.726766][T31573] binder: 31572:31573 ioctl 40046207 0 returned -16
[  349.738551][T31580] binder_alloc: binder_alloc_mmap_handler: 31572 20001000-20004000 already mapped failed -16
[  349.749660][T31573] binder: BINDER_SET_CONTEXT_MGR already set
[  349.778543][T31573] binder: 31572:31573 ioctl 40046207 0 returned -16
[  349.806252][    T5] binder: release 31572:31573 transaction 1146 out, still active
[  349.828041][    T5] binder: unexpected work type, 4, not freed
15:42:02 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x200000000000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:02 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  349.854715][    T5] binder: undelivered TRANSACTION_COMPLETE
[  349.878699][    T5] binder: undelivered TRANSACTION_COMPLETE
[  349.888645][    T5] binder: release 31572:31580 transaction 1150 out, still active
15:42:02 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  349.928435][    T5] binder: unexpected work type, 4, not freed
[  349.970220][T31711] binder: BINDER_SET_CONTEXT_MGR already set
[  349.999274][T31711] binder: 31690:31711 ioctl 40046207 0 returned -16
[  350.000675][    T5] binder: send failed reply for transaction 1145 to 31566:31569
[  350.007925][T31720] binder: 31719:31720 unknown command 0
[  350.030242][T31720] binder: 31719:31720 ioctl c0306201 200002c0 returned -22
[  350.039596][T31752] binder_alloc: binder_alloc_mmap_handler: 31690 20001000-20004000 already mapped failed -16
[  350.058911][T31711] binder: BINDER_SET_CONTEXT_MGR already set
[  350.061711][    T5] binder: send failed reply for transaction 1146, target dead
[  350.069998][T31711] binder: 31690:31711 ioctl 40046207 0 returned -16
15:42:03 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x4000, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:03 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x1800000000000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  350.108822][    T5] binder: undelivered transaction 1149, process died.
[  350.123054][    T5] binder: send failed reply for transaction 1150, target dead
[  350.158639][    T5] binder: release 31690:31752 transaction 1159 out, still active
[  350.178182][    T5] binder: unexpected work type, 4, not freed
[  350.187069][T31909] binder: BINDER_SET_CONTEXT_MGR already set
[  350.217882][    T5] binder: unexpected work type, 4, not freed
[  350.233053][T31909] binder: 31900:31909 ioctl 40046207 0 returned -16
15:42:03 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x5, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  350.266782][T31920] binder_alloc: binder_alloc_mmap_handler: 31900 20001000-20004000 already mapped failed -16
[  350.269564][   T17] binder: send failed reply for transaction 1155, target dead
15:42:03 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000009c0)='io.stat\x00', 0x0, 0x0)
r3 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000a40)='IPVS\x00')
sendmsg$IPVS_CMD_SET_DEST(r2, &(0x7f0000000b80)={&(0x7f0000000a00)={0x10, 0x0, 0x0, 0x8000000}, 0xc, &(0x7f0000000b40)={&(0x7f0000000a80)={0xc0, r3, 0x820, 0x70bd26, 0x25dfdbfb, {}, [@IPVS_CMD_ATTR_DEST={0x44, 0x2, [@IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0xa}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x8ab}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x6}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0xffff}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x7}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e21}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0xff80}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x83c0}]}, @IPVS_CMD_ATTR_DEST={0x34, 0x2, [@IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x9}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x2}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e22}, @IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x3}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e20}]}, @IPVS_CMD_ATTR_DEST={0xc, 0x2, [@IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e23}]}, @IPVS_CMD_ATTR_SERVICE={0x14, 0x1, [@IPVS_SVC_ATTR_PROTOCOL={0x8, 0x2, 0x1f}, @IPVS_SVC_ATTR_FWMARK={0x8, 0x5, 0x3}]}, @IPVS_CMD_ATTR_DAEMON={0x14, 0x3, [@IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e22}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0x200}]}]}, 0xc0}, 0x1, 0x0, 0x0, 0x800}, 0x40011)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
stat(&(0x7f00000008c0)='./file0\x00', &(0x7f0000000900)={0x0, 0x0, 0x0, 0x0, <r5=>0x0})
splice(r0, &(0x7f0000000040), r4, &(0x7f0000000980), 0x800, 0x1)
fchownat(0xffffffffffffffff, &(0x7f0000000880)='./file0\x00', r5, 0x0, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f00000006c0)={[0x400, 0x5, 0x19, 0xff, 0xd1, 0x7fff, 0x2, 0x4, 0x4, 0x10000, 0x7, 0x100000001, 0x4, 0x3, 0x0, 0xfeb], 0xd000, 0x5200})
ioctl$KVM_GET_XSAVE(r4, 0x9000aea4, &(0x7f00000002c0))
getsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r4, 0x84, 0x6, &(0x7f0000000780)={<r7=>0x0, @in6={{0xa, 0x4e21, 0x7, @initdev={0xfe, 0x88, [], 0x0, 0x0}, 0x9}}}, &(0x7f0000000080)=0x84)
getsockopt$inet_sctp_SCTP_RECONFIG_SUPPORTED(r4, 0x84, 0x75, &(0x7f0000000140)={r7, 0x9}, &(0x7f0000000840)=0x8)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
prctl$PR_MPX_ENABLE_MANAGEMENT(0x2b)
ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x4cb, 0x0, 0xfff, 0x3ffffc, 0x1, 0x0, 0x0, 0x0, 0x80000, 0x1000000], 0x1f000})
ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER(r4, 0xc0605345, &(0x7f0000000bc0)={0x3f, 0x1, {0xffffffffffffffff, 0x3, 0x8000, 0x3, 0x2}})
bind$netlink(r4, &(0x7f0000000000)={0x10, 0x0, 0x25dfdbfb, 0x802}, 0xc)
ioctl$KVM_RUN(r6, 0xae80, 0x0)

15:42:03 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  350.354752][T31975] binder: 31956:31975 unknown command 0
[  350.360362][T31975] binder: 31956:31975 ioctl c0306201 200002c0 returned -22
[  350.364227][T31909] binder: BINDER_SET_CONTEXT_MGR already set
15:42:03 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
r0 = dup3(0xffffffffffffff9c, 0xffffffffffffff9c, 0x0)
r1 = open(&(0x7f0000000080)='./file0\x00', 0x200, 0x4)
renameat2(r0, &(0x7f0000000000)='./file0\x00', r1, &(0x7f00000000c0)='./file0\x00', 0x5)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
getsockopt$inet_sctp_SCTP_AUTH_ACTIVE_KEY(r0, 0x84, 0x18, &(0x7f0000000140)={<r2=>0x0, 0x3}, &(0x7f0000000180)=0x8)
getsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r1, 0x84, 0x22, &(0x7f00000001c0)={0x4, 0x1, 0x0, 0x6, r2}, &(0x7f0000000240)=0x10)

[  350.422609][T31909] binder: 31900:31909 ioctl 40046207 0 returned -16
15:42:03 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0xfdfdffff00000000, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:03 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
setsockopt$inet_tcp_TLS_RX(r2, 0x6, 0x2, &(0x7f0000000140), 0x4)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000040)='/proc/capi/capi20ncci\x00', 0x101000, 0x0)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
ioctl$TUNGETFEATURES(r2, 0x800454cf, &(0x7f0000000080))
write$P9_RLOCK(r2, &(0x7f0000000000)={0x8, 0x35, 0x2, 0x3}, 0x8)

15:42:03 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  350.569862][T32134] binder: BINDER_SET_CONTEXT_MGR already set
[  350.607092][T32134] binder: 32133:32134 ioctl 40046207 0 returned -16
15:42:03 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  350.637333][T32207] binder_alloc: binder_alloc_mmap_handler: 32133 20001000-20004000 already mapped failed -16
15:42:03 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4e8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000000)={0x0, 0x0, 0x100000, 0x2000, &(0x7f0000013000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  350.715871][T32242] binder: BINDER_SET_CONTEXT_MGR already set
[  350.733286][T32242] binder: 32241:32242 ioctl 40046207 0 returned -16
[  350.741991][T32242] binder_alloc: 32133: binder_alloc_buf, no vma
15:42:03 executing program 1:
mkdir(&(0x7f00000002c0)='./file0\x00', 0xfffffffffffffffc)
clone(0x4000, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vcs\x00', 0x101000, 0x0)
recvmsg(r0, &(0x7f0000000280)={&(0x7f0000000080)=@nfc_llcp, 0x80, &(0x7f0000000240)=[{&(0x7f0000000140)=""/139, 0x8b}], 0x1}, 0x10000)

[  350.781474][T32247] binder_alloc: 32133: binder_alloc_buf, no vma
15:42:03 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x2, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:03 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:03 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
read$rfkill(r2, &(0x7f0000000040), 0x8)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000], 0x1f000, 0x10000})
connect$tipc(r2, &(0x7f0000000000)=@nameseq={0x1e, 0x1, 0x3, {0x0, 0x4, 0x2}}, 0x10)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
keyctl$join(0x1, 0x0)
ioctl$KVM_SET_CPUID(r2, 0x4008ae8a, &(0x7f0000000080)={0x2, 0x0, [{0x80000007, 0x463b, 0x5, 0x8, 0x101}, {0x1, 0xffffffff00000001, 0x3, 0x2d5, 0x4}]})

[  350.991485][T32387] binder_alloc: binder_alloc_mmap_handler: 32374 20001000-20004000 already mapped failed -16
15:42:03 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  351.036564][T32375] binder: BINDER_SET_CONTEXT_MGR already set
[  351.065044][T32375] binder: 32374:32375 ioctl 40046207 0 returned -16
15:42:04 executing program 5:
r0 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000000)='/dev/snapshot\x00', 0x20000, 0x0)
getsockopt$inet_tcp_buf(r0, 0x6, 0x1c, &(0x7f00000002c0)=""/227, &(0x7f0000000080)=0xe3)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  351.089289][T32418] binder: BINDER_SET_CONTEXT_MGR already set
[  351.149456][T32418] binder: 32403:32418 ioctl 40046207 0 returned -16
[  351.149487][T32460] binder_alloc: 32374: binder_alloc_buf, no vma
15:42:04 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = add_key(&(0x7f0000000000)='asymmetric\x00', &(0x7f0000000080)={'syz', 0x2}, 0x0, 0x0, 0x0)
keyctl$revoke(0x3, r0)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[d::]:/]lb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  351.190727][ T7807] binder_thread_release: 2 callbacks suppressed
[  351.190740][ T7807] binder: release 32374:32375 transaction 1173 out, still active
[  351.206946][T32375] binder_alloc: 32374: binder_alloc_buf, no vma
[  351.229550][ T7807] binder: unexpected work type, 4, not freed
15:42:04 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x18, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  351.262658][ T7807] binder_send_failed_reply: 2 callbacks suppressed
[  351.262665][ T7807] binder: send failed reply for transaction 1173, target dead
[  351.290694][ T7807] binder_cleanup_transaction: 2 callbacks suppressed
[  351.290702][ T7807] binder: undelivered transaction 1176, process died.
15:42:04 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  351.372566][T32591] binder_alloc: binder_alloc_mmap_handler: 32589 20001000-20004000 already mapped failed -16
15:42:04 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xa, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  351.422940][T32590] binder: BINDER_SET_CONTEXT_MGR already set
15:42:04 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x400000, 0x0)
r1 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000400)='m\x00\x01o\x18\x8a\xb9e\xa9\xe5\x89[z\x98m\xc5\xb8o\xb0\xfa\xe2\x9b\xe3[1%;\x95\xe9d\xf1\xe8\xf1\xc0\xad4O\x9f\x8a\xd3d\xcb\xe0\xbb\xceK\b\t\x02?mB\xe2a\xd1\n\xc0\x9c\xbc\x11\x1ffl\xeav\xac#){;@\x87X\x9b\xfemBh\xcd\xea8K*}\xd7TP\xeej\x8b\xd6\xaci\x8e9\xa5E\xf8\xa6\x83\x99\xdc\xf4\xd9\x8erm\x96W\xdc\xa8\x06f\x12\xf8\xc9\xfc|KK\x17\xb8\xd8\xca9\xc0\xf6\x03\xb0\xf4$4M\xc9I\xe5\x10\xd7v\xe9\xdc\xf8{\xe5\xc0\x06m\xad+qH\xe7\a^\xecz\xeb\x93\"\xa7\x11\x11%>\xa2\x8e;\xd7\xe7\xbc\xf6\x91 \x1c\xab\xff\x94\xf691\x15\xc0\xcbY\x90%\xc6z\x88\xfb3\x7f\x9e\xb3\xc0\xe0\x8e\xed\xea\x03\x16\t\x13\xc7\xfeX\'\xc5\x19\x19\xb3\xb1\xa9\xf8\x84\xadgD\xe6 E\xae\x06/B\x11\xa9\xc3\xb4\xeb.:\xb7d\xdfh\xac\x14\x94\x01\xc9=\x83r\x81', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@text32={0x20, &(0x7f00000002c0)="c4e17b70613f0bb94f090000b838000000ba000000000f30672e0fc75904c4c1a1efcf0f2329640f81000000000ff7d598b9800000c00f3235002000000f306464660f3882927a5e0000"}], 0xa3, 0x0, 0x0, 0xffe2)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0xfffffffffffffffe, 0x0)
write$P9_RAUTH(r3, &(0x7f00000000c0)={0x14, 0x67, 0x1, {0x20, 0x1, 0x2}}, 0x14)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

[  351.476802][ T7807] binder: release 32589:32590 transaction 1180 out, still active
[  351.489757][T32601] binder: BINDER_SET_CONTEXT_MGR already set
[  351.497238][T32590] binder: 32589:32590 ioctl 40046207 0 returned -16
[  351.506684][ T7807] binder: unexpected work type, 4, not freed
[  351.529616][T32601] binder: 32598:32601 ioctl 40046207 0 returned -16
[  351.530270][ T7807] binder: send failed reply for transaction 1180, target dead
15:42:04 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1800, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  351.579532][ T7807] binder: undelivered transaction 1183, process died.
15:42:04 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vfio/vfio\x00', 0x20000, 0x0)
getsockopt$IP6T_SO_GET_REVISION_MATCH(r0, 0x29, 0x44, &(0x7f0000000080)={'ipvs\x00'}, &(0x7f00000000c0)=0x1e)
ioctl$VIDIOC_SUBDEV_S_CROP(r0, 0xc038563c, &(0x7f0000000140)={0x1, 0x0, {0x2, 0x4e1dc5e3, 0x1, 0x5}})
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:04 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
openat$smack_thread_current(0xffffffffffffff9c, &(0x7f0000000000)='/proc/thread-self/attr/current\x00', 0x2, 0x0)
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:04 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:04 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x10004, 0x0)
stat(&(0x7f0000000000)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, <r3=>0x0})
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, r3, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
setsockopt$inet_sctp6_SCTP_AUTOCLOSE(r2, 0x84, 0x4, &(0x7f0000000080)=0x6, 0x4)
ioctl$KVM_RUN(r4, 0xae80, 0x0)

15:42:04 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x48, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  351.726250][  T343] binder_alloc: binder_alloc_mmap_handler: 315 20001000-20004000 already mapped failed -16
[  351.820198][  T342] binder: BINDER_SET_CONTEXT_MGR already set
[  351.876607][  T342] binder: 315:342 ioctl 40046207 0 returned -16
[  351.882185][  T361] binder: BINDER_SET_CONTEXT_MGR already set
[  351.889383][  T361] binder: 360:361 ioctl 40046207 0 returned -16
[  351.904856][  T363] binder_transaction: 5 callbacks suppressed
[  351.904899][  T363] binder: 315:363 transaction failed 29189/-3, size 24-8 line 3147
[  351.929937][   T17] binder: release 315:342 transaction 1185 out, still active
[  351.937913][  T342] binder: 315:342 transaction failed 29189/-3, size 24-0 line 3147
[  351.952239][   T17] binder: unexpected work type, 4, not freed
[  351.960080][   T17] binder: send failed reply for transaction 1185, target dead
[  351.998071][   T17] binder: undelivered transaction 1188, process died.
15:42:04 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:05 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  352.042801][   T17] binder_release_work: 14 callbacks suppressed
[  352.042840][   T17] binder: undelivered TRANSACTION_ERROR: 29189
15:42:05 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4c, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  352.117780][   T17] binder: undelivered TRANSACTION_ERROR: 29189
[  352.146798][  T545] binder: BINDER_SET_CONTEXT_MGR already set
15:42:05 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$VIDIOC_STREAMON(r2, 0x40045612, &(0x7f0000000600)=0x10000)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
write$P9_RFLUSH(r2, &(0x7f0000000000)={0x7, 0x6d, 0x1}, 0x7)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$PPPIOCSPASS(r2, 0x40087447, &(0x7f0000000080)={0x4, &(0x7f0000000040)=[{0x4, 0xff, 0x81, 0x6}, {0x1, 0x5, 0x2, 0x1}, {0x4, 0x8b3, 0x4, 0x7fff}, {0x20, 0x0, 0x6, 0x401}]})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000640)='/dev/kvm\x00', 0x0, 0x0)
getsockopt$inet_sctp6_SCTP_GET_ASSOC_STATS(r2, 0x84, 0x70, &(0x7f0000000480)={<r4=>0x0, @in6={{0xa, 0x4e22, 0xfffffffffffffff9, @empty, 0x7}}, [0x1ff, 0x7, 0x1ea5, 0xa2, 0x3ff, 0x3, 0xff, 0x9, 0x0, 0x5, 0x16d, 0x6, 0x6, 0x3, 0x5]}, &(0x7f0000000580)=0x100)
setsockopt$inet_sctp6_SCTP_DEFAULT_SNDINFO(r2, 0x84, 0x22, &(0x7f00000005c0)={0x3ff, 0x200, 0xfffffffffffff8de, 0x5, r4}, 0x10)
recvmsg(r2, &(0x7f0000000440)={&(0x7f00000002c0)=@rc, 0x80, &(0x7f0000000140)=[{&(0x7f0000000340)=""/198, 0xc6}], 0x1}, 0x2000)

15:42:05 executing program 1:
r0 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x9c, 0x2c8002)
ioctl$sock_inet_SIOCDARP(r0, 0x8953, &(0x7f0000000080)={{0x2, 0x4e24, @multicast2}, {0x307, @local}, 0x20, {0x2, 0x4e21, @multicast2}, 'bcsf0\x00'})
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  352.195667][   T17] binder_send_failed_reply: 2 callbacks suppressed
[  352.195676][   T17] binder: send failed reply for transaction 1192 to 513:545
[  352.212410][  T545] binder: 513:545 ioctl 40046207 0 returned -16
15:42:05 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x2000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  352.239573][   T17] binder: undelivered transaction 1195, process died.
[  352.269026][   T17] binder: undelivered TRANSACTION_ERROR: 29189
[  352.363416][  T673] binder: BINDER_SET_CONTEXT_MGR already set
15:42:05 executing program 5:
r0 = openat$full(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full\x00', 0x0, 0x0)
ioctl$KVM_GET_DEBUGREGS(r0, 0x8080aea1, &(0x7f00000002c0))
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$IOC_PR_PREEMPT_ABORT(r3, 0x401870cc, &(0x7f0000000000)={0x80, 0x7fffffff, 0x4, 0x4dcc})
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x1], 0x1f000})
r5 = add_key(0x0, 0x0, 0x0, 0x1ab, 0xffffffffffffffff)
keyctl$negate(0xd, 0x0, 0x1000, r5)
vmsplice(0xffffffffffffffff, 0x0, 0x0, 0x0)
clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
ioctl$EVIOCSREP(r0, 0x40084503, &(0x7f0000000340)=[0xfffffffffffffff9, 0x6])
add_key(&(0x7f0000000040)='dns_resolver\x00', 0x0, &(0x7f0000000100)="f1adeb1af858baacf3badb1d79cae63160297c5622f1bd4355db6251ba98a1e2907b45d18f94a48704000000222a0027dec36a9f5f10be85cdfbb42864d37ef802ac13632e6787578d000000d38f350b8b23000000000000000000", 0x5b, 0xfffffffffffffffb)
ioctl$KVM_RUN(r1, 0xae80, 0x0)
socket$key(0xf, 0x3, 0x2)

15:42:05 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  352.409023][  T673] binder: 669:673 ioctl 40046207 0 returned -16
[  352.442868][  T694] binder: 669:694 transaction failed 29189/-3, size 24-0 line 3147
15:42:05 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x60, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  352.484741][  T673] binder: BINDER_SET_CONTEXT_MGR already set
[  352.529082][ T7756] binder: send failed reply for transaction 1197 to 579:581
[  352.541630][  T726] binder: 669:726 transaction failed 29189/-22, size 24-0 line 2994
[  352.541874][  T694] binder: 669:694 transaction failed 29189/-22, size 24-8 line 2994
[  352.571866][ T7756] binder: send failed reply for transaction 1198 to 669:694
[  352.595910][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
[  352.615873][  T706] Option '        ' to dns_resolver key: bad/missing value
[  352.630421][  T673] binder: 669:673 ioctl 40046207 0 returned -16
[  352.630757][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
15:42:05 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
r3 = add_key(&(0x7f0000000000)='user\x00', &(0x7f0000000080)={'syz', 0x2}, &(0x7f00000002c0)="afb2e7387bf85240c2078129914277bf05266aebdfad8fdc9e5a1931e5b6b6cfe42edbdb1fb8c06ed4dae53fe5de904efeffacefd7d5f86a8fc5e332900428cc3de24654c0ac34e0d1ce229017c032297c0f13ddf671080b71fea7ba772ccad3caf1280763503dcb7e81184da2a2f5faf6423ce9b46a8222cd974ed1f0e330f50f59edf016910948479be7ecd7f3bef25952392317f11fdb9e19a038634ed50ccdf1b3f826c293f737e724fbcd0c09195b48f95a045c5c36afcec77e208f8bc59dd32ebf84804172c7bacd98b381aa5e9b45d4e0651e835ac07a036220cc8aa48ee2bd04b9e43ce7fdabda28b0126f16291d306aa202c70e44e214", 0xfb, 0xfffffffffffffffb)
keyctl$describe(0x6, r3, &(0x7f00000003c0)=""/230, 0xe6)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:05 executing program 1:
mkdir(&(0x7f0000000180)='./file0\x00', 0x8000100)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ubi_ctrl\x00', 0x2, 0x0)
ioctl$PPPIOCDISCONN(r0, 0x7439)

15:42:05 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x18000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  352.693141][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
[  352.726856][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
15:42:05 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x68, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  352.778797][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
[  352.799783][  T919] binder: BINDER_SET_CONTEXT_MGR already set
15:42:05 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  352.842549][  T919] binder: 916:919 ioctl 40046207 0 returned -16
[  352.849163][ T7756] binder: send failed reply for transaction 1205 to 734:735
[  352.849253][  T923] binder: 916:923 transaction failed 29189/-22, size 24-8 line 2994
[  352.886731][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
15:42:05 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
ioctl$KVM_IOEVENTFD(r2, 0x4040ae79, &(0x7f0000000040)={0x4000, &(0x7f0000000000), 0x8, r2, 0x5})
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  352.969127][  T919] binder: BINDER_SET_CONTEXT_MGR already set
[  352.993901][  T919] binder: 916:919 ioctl 40046207 0 returned -16
15:42:05 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x2)
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  353.021449][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
[  353.032906][ T7756] binder: release 916:923 transaction 1210 out, still active
15:42:06 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6c, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:06 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0xfdfdffff, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:06 executing program 1:
mkdir(&(0x7f0000000000)='./file0\x00', 0x40)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  353.081585][ T7756] binder: unexpected work type, 4, not freed
15:42:06 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  353.133175][ T7756] binder: send failed reply for transaction 1208 to 950:960
[  353.174635][ T7756] binder: undelivered transaction 1209, process died.
[  353.205694][ T7756] binder: send failed reply for transaction 1210, target dead
[  353.212087][ T1170] binder: BINDER_SET_CONTEXT_MGR already set
[  353.225708][ T1170] binder: 1169:1170 ioctl 40046207 0 returned -16
[  353.304556][ T1170] binder: BINDER_SET_CONTEXT_MGR already set
[  353.336273][    T5] binder: release 1169:1251 transaction 1215 out, still active
[  353.344646][ T1170] binder: 1169:1170 ioctl 40046207 0 returned -16
15:42:06 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x74, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:06 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
getsockopt$bt_BT_SECURITY(r2, 0x112, 0x4, &(0x7f0000000000), 0x2)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x2, 0x1, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  353.360573][    T5] binder: unexpected work type, 4, not freed
[  353.388387][    T5] binder: send failed reply for transaction 1214 to 1155:1156
15:42:06 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
bind$bt_rfcomm(r2, &(0x7f0000000000)={0x1f, {0x6892, 0x2, 0x48, 0x100000001, 0x0, 0x3}, 0x100}, 0xa)
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  353.432632][    T5] binder: send failed reply for transaction 1215, target dead
15:42:06 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0xfffffdfd, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  353.477596][    T5] binder: undelivered transaction 1218, process died.
[  353.499289][    T5] binder: send failed reply for transaction 1219 to 1169:1251
15:42:06 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:06 executing program 1:
r0 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0xeb, 0x300)
ioctl$SG_GET_REQUEST_TABLE(r0, 0x2286, &(0x7f0000000240))
mkdir(&(0x7f0000000180)='./file0\x00', 0x40)
getsockopt$inet_int(r0, 0x0, 0x1f, &(0x7f0000000040), &(0x7f00000000c0)=0x4)
ioctl$BLKRESETZONE(r0, 0x40101283, &(0x7f0000000140)={0x100000001, 0x1})
mount(&(0x7f0000000080)=ANY=[@ANYBLOB="5b64fc1a2ab9d5eb5374e17bc5720cd59776730ef88bbe21000000000000000000000000000000"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:06 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7a, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  353.607359][ T1496] binder: BINDER_SET_CONTEXT_MGR already set
[  353.671594][ T1505] binder_alloc_new_buf_locked: 3 callbacks suppressed
[  353.671604][    T5] binder: release 1286:1302 transaction 1223 out, still active
[  353.671609][ T1505] binder_alloc: 1286: binder_alloc_buf, no vma
[  353.671639][ T1505] binder: 1495:1505 transaction failed 29189/-3, size 24-8 line 3147
[  353.679848][ T1496] binder: 1495:1496 ioctl 40046207 0 returned -16
[  353.688355][ T1504] ceph: device name is missing path (no : separator in [d�*���St�{�r՗vs���!)
15:42:06 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000440)='/proc/capi/capi20\x00', 0x1, 0x0)
bind$vsock_stream(r2, &(0x7f0000000480)={0x28, 0x0, 0x2711, @hyper}, 0x10)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
r5 = pkey_alloc(0x0, 0x1)
pkey_mprotect(&(0x7f0000018000/0x3000)=nil, 0x3000, 0x0, r5)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffe, 0x2], 0x1f000})
ioctl$TIOCGSID(r3, 0x5429, &(0x7f0000000000)=<r6=>0x0)
perf_event_open(&(0x7f00000002c0)={0x0, 0x70, 0x5, 0x56b, 0x1ff, 0x641, 0x0, 0x8000, 0x290, 0x4, 0x7f, 0xfb33, 0x3, 0x3, 0xff, 0x2, 0x6, 0x40, 0x2c9, 0x9, 0x19b880d5, 0x7fffffff, 0x8, 0x2, 0xffffffffffffff5a, 0x5, 0x6, 0x100, 0x3, 0x8001, 0x8000000, 0x7, 0x81, 0x1, 0x0, 0x94f7, 0x4, 0x0, 0x0, 0x3, 0x6, @perf_config_ext={0x0, 0x4}, 0x400, 0x8, 0x6e, 0xf, 0xb919, 0x7, 0x8}, r6, 0xd, r3, 0x2)
ioctl$SNDRV_CTL_IOCTL_HWDEP_INFO(r3, 0x80dc5521, &(0x7f0000000340)=""/229)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
getsockopt$inet_sctp6_SCTP_MAX_BURST(r3, 0x84, 0x14, &(0x7f0000000080)=@assoc_value, &(0x7f0000000140)=0x8)

[  353.695312][    T5] binder_release_work: 27 callbacks suppressed
[  353.695319][    T5] binder: undelivered TRANSACTION_COMPLETE
[  353.761030][ T1511] binder: BINDER_SET_CONTEXT_MGR already set
[  353.782451][ T1511] binder: 1510:1511 ioctl 40046207 0 returned -16
[  353.806823][ T1511] binder_alloc: 1286: binder_alloc_buf, no vma
[  353.826185][    T5] binder: send failed reply for transaction 1223, target dead
[  353.836056][ T1496] binder: 1495:1496 transaction failed 29189/-22, size 24-0 line 2994
[  353.838225][ T1511] binder: 1510:1511 transaction failed 29189/-3, size 0-0 line 3147
[  353.890283][ T1505] binder_alloc_mmap_handler: 4 callbacks suppressed
[  353.890309][ T1505] binder_alloc: binder_alloc_mmap_handler: 1495 20001000-20004000 already mapped failed -16
[  353.912166][ T1505] binder_alloc: 1495: binder_alloc_buf, no vma
15:42:06 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
r0 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x1f, 0x800)
setsockopt$inet_sctp_SCTP_RECVRCVINFO(r0, 0x84, 0x20, &(0x7f0000000080)=0x9, 0x4)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:06 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
r1 = syz_open_dev$sndpcmc(&(0x7f0000000000)='/dev/snd/pcmC#D#c\x00', 0x4, 0x4c00)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r1, &(0x7f0000011000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:06 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  353.942861][ T1505] binder: 1495:1505 transaction failed 29189/-3, size 24-8 line 3147
[  353.967437][ T1496] binder_alloc: 1495: binder_alloc_buf, no vma
15:42:07 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x100000000000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:07 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x300, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  354.177131][ T1748] binder_alloc: binder_alloc_mmap_handler: 1746 20001000-20004000 already mapped failed -16
[  354.219590][ T1750] binder: BINDER_SET_CONTEXT_MGR already set
[  354.237159][ T1750] binder: 1749:1750 ioctl 40046207 0 returned -16
[  354.245821][ T1747] binder: BINDER_SET_CONTEXT_MGR already set
[  354.253721][ T1747] binder: 1746:1747 ioctl 40046207 0 returned -16
[  354.264349][ T1751] binder_alloc: 1746: binder_alloc_buf, no vma
[  354.277121][    T5] binder: release 1746:1747 transaction 1231 out, still active
[  354.288939][    T5] binder: unexpected work type, 4, not freed
15:42:07 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x200000000000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:07 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  354.315604][    T5] binder: undelivered TRANSACTION_COMPLETE
[  354.358204][    T5] binder: undelivered TRANSACTION_COMPLETE
[  354.394270][ T1881] binder: BINDER_SET_CONTEXT_MGR already set
[  354.421294][    T5] binder: send failed reply for transaction 1231, target dead
[  354.432471][ T1881] binder: 1872:1881 ioctl 40046207 0 returned -16
[  354.451816][    T5] binder: undelivered transaction 1234, process died.
15:42:07 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
openat$tun(0xffffffffffffff9c, &(0x7f0000000000)='/dev/net/tun\x00', 0x0, 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  354.471106][ T1956] binder_alloc: binder_alloc_mmap_handler: 1872 20001000-20004000 already mapped failed -16
15:42:07 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
write$capi20(r2, &(0x7f0000000340)={0x10, 0x3f, 0x86, 0x83, 0x80, 0x101}, 0x10)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4068aea3, &(0x7f0000000380)={0x7b, 0x0, [0x7, 0x200, 0x8, 0x1ff]})
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000500)={<r4=>0x0}, &(0x7f00000004c0)=0xc)
write$cgroup_pid(r2, &(0x7f0000000480)=r4, 0x12)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
perf_event_open(&(0x7f0000000140)={0x2, 0x70, 0x3e6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000003, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r2, 0xc00c642e, &(0x7f0000000000)={<r5=>0x0, 0x0, r2})
ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r2, 0xc00c642d, &(0x7f0000000080)={r5, 0x80000, r1})
ioctl$KVM_ENABLE_CAP_CPU(r3, 0x4068aea3, &(0x7f00000002c0)={0x7b, 0x0, [0xffffffffffff8000, 0x7ff, 0x4]})
pkey_mprotect(&(0x7f000010e000/0x3000)=nil, 0x3000, 0x0, 0xffffffffffffffff)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x8)
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:07 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x500, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  354.540936][ T1971] binder_alloc: 1872: binder_alloc_buf, no vma
[  354.615758][ T1881] binder_alloc: 1872: binder_alloc_buf, no vma
15:42:07 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:07 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = add_key$user(&(0x7f0000000080)='user\x00', &(0x7f0000000140)={'syz', 0x1}, &(0x7f00000002c0), 0x0, 0xfffffffffffffffe)
keyctl$assume_authority(0x10, r2)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$VIDIOC_SUBDEV_G_EDID(r3, 0xc0245628, &(0x7f0000000040)={0x0, 0x8, 0x5, [], &(0x7f0000000000)=0x8})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

15:42:07 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1800000000000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  354.890193][ T2158] binder: BINDER_SET_CONTEXT_MGR already set
15:42:07 executing program 1:
mkdir(&(0x7f0000000180)='./file0\x00', 0x20)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x8, 0x101000)
r1 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000240)='/dev/vga_arbiter\x00', 0x420ff, 0x0)
linkat(r0, &(0x7f0000000080)='./file0\x00', r1, &(0x7f0000000140)='./file0\x00', 0x1000)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:07 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x600, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  354.945877][ T2158] binder: 2122:2158 ioctl 40046207 0 returned -16
15:42:07 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  355.011496][ T2597] binder: send failed reply for transaction 1242 to 1978:1979
[  355.034214][ T2194] binder_alloc: binder_alloc_mmap_handler: 2122 20001000-20004000 already mapped failed -16
[  355.065646][ T2597] binder: send failed reply for transaction 1243 to 2122:2194
[  355.096723][ T2202] binder_alloc: 2122: binder_alloc_buf, no vma
[  355.113015][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:42:08 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
stat(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040))
getresuid(&(0x7f0000000140), &(0x7f00000002c0)=<r3=>0x0, &(0x7f0000000300))
stat(&(0x7f0000000340)='./file0\x00', &(0x7f0000000380))
getresgid(&(0x7f0000000640), &(0x7f0000000540)=<r4=>0x0, &(0x7f0000000600))
fchownat(r2, 0x0, r3, r4, 0xffffffffffffffff)
ioctl$VIDIOC_ENUMOUTPUT(r2, 0xc0485630, &(0x7f00000004c0)={0xfffffffffffffff8, "5fd36f7894c3bf5658f5076955e20f728b6e9188ac867dac9eba32378d77ab0b", 0x2, 0x3, 0x10001, 0x3a0000, 0x8})
r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  355.138278][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:42:08 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0xfdfdffff00000000, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:08 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$PERF_EVENT_IOC_SET_BPF(r2, 0x40042408, r2)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  355.276792][ T2286] binder: BINDER_SET_CONTEXT_MGR already set
15:42:08 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x700, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  355.322578][ T2286] binder: 2278:2286 ioctl 40046207 0 returned -16
[  355.353265][ T2286] binder_alloc: 2208: binder_alloc_buf, no vma
[  355.355189][ T7756] binder: send failed reply for transaction 1250 to 2208:2209
[  355.405858][ T7756] binder: undelivered TRANSACTION_COMPLETE
[  355.419141][ T2319] binder_alloc: binder_alloc_mmap_handler: 2278 20001000-20004000 already mapped failed -16
15:42:08 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  355.468308][ T2286] binder: BINDER_SET_CONTEXT_MGR already set
15:42:08 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
prctl$PR_SET_FP_MODE(0x2d, 0x2)
r0 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20\x00', 0x4a0600, 0x0)
recvmmsg(r0, &(0x7f0000007600)=[{{&(0x7f0000000080)=@nfc_llcp, 0x80, &(0x7f0000000180)=[{&(0x7f0000000140)=""/63, 0x3f}, {&(0x7f0000000380)=""/4096, 0x1000}, {&(0x7f0000000240)=""/168, 0xa8}], 0x3, &(0x7f0000001380)=""/93, 0x5d}, 0x80}, {{&(0x7f0000001400)=@alg, 0x80, &(0x7f0000001a40)=[{&(0x7f0000001480)=""/66, 0x42}, {&(0x7f0000001500)=""/105, 0x69}, {&(0x7f0000001580)=""/128, 0x80}, {&(0x7f0000001600)=""/121, 0x79}, {&(0x7f0000001680)=""/71, 0x47}, {&(0x7f0000001700)=""/122, 0x7a}, {&(0x7f0000001780)=""/242, 0xf2}, {&(0x7f0000001880)=""/231, 0xe7}, {&(0x7f0000001980)=""/155, 0x9b}], 0x9, &(0x7f0000001ac0)=""/4096, 0x1000}, 0x1ff}, {{0x0, 0x0, &(0x7f0000002bc0)=[{&(0x7f00000001c0)=""/12, 0xc}, {&(0x7f0000002ac0)=""/79, 0x4f}, {&(0x7f0000002b40)=""/89, 0x59}, {&(0x7f0000000300)=""/51, 0x33}], 0x4, &(0x7f0000002c00)=""/121, 0x79}, 0xffffffff}, {{&(0x7f0000002c80)=@alg, 0x80, &(0x7f0000002d00)}}, {{&(0x7f0000002d40)=@pppol2tpin6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @mcast2}}}, 0x80, &(0x7f0000004000)=[{&(0x7f0000002dc0)=""/178, 0xb2}, {&(0x7f0000002e80)=""/47, 0x2f}, {&(0x7f0000002ec0)=""/4096, 0x1000}, {&(0x7f0000003ec0)=""/180, 0xb4}, {&(0x7f0000003f80)=""/17, 0x11}, {&(0x7f0000003fc0)=""/14, 0xe}], 0x6, &(0x7f0000004040)=""/44, 0x2c}, 0x1b}, {{&(0x7f0000004080)=@in6={0xa, 0x0, 0x0, @mcast2}, 0x80, &(0x7f00000043c0)=[{&(0x7f0000004100)=""/231, 0xe7}, {&(0x7f0000004200)=""/221, 0xdd}, {&(0x7f0000004300)=""/18, 0x12}, {&(0x7f0000004340)=""/92, 0x5c}], 0x4, &(0x7f0000004400)=""/170, 0xaa}, 0x8}, {{&(0x7f00000044c0)=@pptp={0x18, 0x2, {0x0, @multicast2}}, 0x80, &(0x7f00000069c0)=[{&(0x7f0000004540)=""/226, 0xe2}, {&(0x7f0000004640)=""/179, 0xb3}, {&(0x7f0000004700)=""/31, 0x1f}, {&(0x7f0000004740)=""/4096, 0x1000}, {&(0x7f0000005740)=""/120, 0x78}, {&(0x7f00000057c0)=""/4096, 0x1000}, {&(0x7f00000067c0)=""/175, 0xaf}, {&(0x7f0000006880)=""/182, 0xb6}, {&(0x7f0000006940)=""/122, 0x7a}], 0x9}, 0x6}, {{&(0x7f0000006a40)=@alg, 0x80, &(0x7f0000006bc0)=[{&(0x7f0000006ac0)=""/113, 0x71}, {&(0x7f0000006b40)=""/112, 0x70}], 0x2, &(0x7f0000006c00)=""/201, 0xc9}, 0x6}, {{&(0x7f0000006d00)=@rc, 0x80, &(0x7f00000073c0)=[{&(0x7f0000006d80)=""/197, 0xc5}, {&(0x7f0000006e80)=""/9, 0x9}, {&(0x7f0000006ec0)=""/141, 0x8d}, {&(0x7f0000006f80)=""/204, 0xcc}, {&(0x7f0000007080)=""/169, 0xa9}, {&(0x7f0000007140)=""/48, 0x30}, {&(0x7f0000007180)=""/221, 0xdd}, {&(0x7f0000007280)=""/247, 0xf7}, {&(0x7f0000007380)=""/21, 0x15}], 0x9, &(0x7f0000007440)=""/81, 0x51}, 0x6}, {{&(0x7f00000074c0)=@pptp={0x18, 0x2, {0x0, @broadcast}}, 0x80, &(0x7f00000075c0)=[{&(0x7f0000007540)=""/119, 0x77}], 0x1}, 0x3}], 0xa, 0x40000140, 0x0)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="1281245ee83a2f7c077b39ec"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:08 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
openat$vfio(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vfio/vfio\x00', 0x0, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f00000002c0)={0x4000000000000, 0x0, 0x0, 0x1000, &(0x7f0000014000/0x1000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)
ioctl$KVM_REGISTER_COALESCED_MMIO(r1, 0x4010ae67, &(0x7f0000000080)={0x1000, 0x2000})
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000000)={0x3, 0x1, 0x100000, 0x1000, &(0x7f000000f000/0x1000)=nil})

[  355.529391][ T2286] binder: 2278:2286 ioctl 40046207 0 returned -16
[  355.599522][    T5] binder: undelivered TRANSACTION_COMPLETE
[  355.621864][ T2544] libceph: resolve '�$^�' (ret=-3): failed
[  355.631730][ T2544] libceph: parse_ips bad ip '�$^�'
15:42:08 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xa00, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  355.644216][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:42:08 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2fc8, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:08 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  355.816657][ T2739] binder: BINDER_SET_CONTEXT_MGR already set
15:42:08 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = syz_open_dev$swradio(&(0x7f0000000240)='/dev/swradio#\x00', 0x1, 0x2)
setsockopt$packet_rx_ring(r0, 0x107, 0x5, &(0x7f0000000280)=@req3={0xb6, 0xce5, 0x0, 0xfffffffffffffe44, 0x2, 0x8, 0x10001}, 0x1c)
r1 = openat$zero(0xffffffffffffff9c, &(0x7f0000000140)='/dev/zero\x00', 0x0, 0x0)
r2 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000180)='/dev/mixer\x00', 0x1, 0x0)
write$USERIO_CMD_SEND_INTERRUPT(r1, &(0x7f00000001c0)={0x2, 0x5}, 0x2)
perf_event_open$cgroup(&(0x7f0000000080)={0x7, 0x70, 0x6, 0x5, 0x401, 0x7, 0x0, 0x4, 0x8014, 0x1, 0x101, 0x7, 0x100, 0x71df, 0x0, 0x1000, 0xff, 0x9, 0x7fffffff, 0x9, 0xcf80000000000000, 0x3ff, 0x3, 0xfffffffffffffffa, 0x0, 0x8, 0x5, 0x4, 0x4b, 0x0, 0x80000000, 0xffffffff, 0x7f, 0x6, 0x0, 0xe, 0x82, 0xfb65, 0x0, 0x4, 0x86c8ee8baedf1db7, @perf_bp={&(0x7f0000000000), 0x2}, 0x2, 0x4, 0x1, 0x0, 0x3, 0x8000, 0x20}, r1, 0x3, r2, 0x5)

[  355.867638][ T2739] binder: 2626:2739 ioctl 40046207 0 returned -16
15:42:08 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x2000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:08 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$IOC_PR_PREEMPT(r2, 0x401870cb, &(0x7f0000000000)={0x1, 0x100000001, 0x6, 0x9})
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  355.916805][    T5] binder: undelivered TRANSACTION_COMPLETE
[  355.954762][ T2767] binder_alloc: binder_alloc_mmap_handler: 2626 20001000-20004000 already mapped failed -16
[  356.018795][ T2783] binder_alloc: 2626: binder_alloc_buf, no vma
[  356.029248][    T5] binder: undelivered TRANSACTION_COMPLETE
15:42:09 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2fe0, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  356.140939][ T2878] binder: BINDER_SET_CONTEXT_MGR already set
[  356.168823][ T2878] binder: 2871:2878 ioctl 40046207 0 returned -16
15:42:09 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$VT_GETMODE(r2, 0x5601, &(0x7f0000000000))
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:09 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4800, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:09 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  356.196699][ T2978] binder_alloc: binder_alloc_mmap_handler: 2871 20001000-20004000 already mapped failed -16
15:42:09 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0xffffffffffffeffd, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/btrfs-control\x00', 0x284000, 0x0)
write$P9_RCLUNK(r1, &(0x7f00000000c0)={0x7, 0x79, 0x2}, 0x7)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xfffffffffffffffe, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x3ffffffffffc, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:09 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
chroot(&(0x7f0000000000)='./file0\x00')
clone(0x2102001bf9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:09 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x7800, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:09 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x301100, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:09 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4c00, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  356.432132][ T3134] binder_alloc: binder_alloc_mmap_handler: 3125 20001000-20004000 already mapped failed -16
[  356.493711][ T3143] binder: BINDER_SET_CONTEXT_MGR already set
[  356.527474][ T3126] binder: BINDER_SET_CONTEXT_MGR already set
15:42:09 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  356.544541][ T3143] binder: 3138:3143 ioctl 40046207 0 returned -16
[  356.560247][ T3126] binder: 3125:3126 ioctl 40046207 0 returned -16
15:42:09 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
fdatasync(r3)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
setsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r1, 0x84, 0x7, &(0x7f0000000000), 0x4)
r4 = syz_genetlink_get_family_id$tipc(&(0x7f00000002c0)='TIPC\x00')
sendmsg$TIPC_CMD_GET_MEDIA_NAMES(r2, &(0x7f0000000380)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x90001000}, 0xc, &(0x7f0000000340)={&(0x7f0000000300)={0x1c, r4, 0x400, 0x70bd25, 0x25dfdbfc, {}, ["", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x44080}, 0x4000)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
ioctl$SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION(r2, 0xc0505350, &(0x7f0000000040)={{0x0, 0xffffffffffffffff}, {0x1, 0x7f}, 0x6, 0x6, 0x7})

15:42:09 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x20000498, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:09 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  356.788900][ T3345] binder_alloc: binder_alloc_mmap_handler: 3330 20001000-20004000 already mapped failed -16
[  356.833050][ T3331] binder: BINDER_SET_CONTEXT_MGR already set
[  356.839929][ T3331] binder: 3330:3331 ioctl 40046207 0 returned -16
15:42:09 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x8a020200, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:09 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:09 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$BLKGETSIZE(r2, 0x1260, &(0x7f0000000000))
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  356.947263][ T3405] binder: BINDER_SET_CONTEXT_MGR already set
[  356.979622][ T3407] binder_transaction: 17 callbacks suppressed
[  356.979640][ T3407] binder: 3330:3407 transaction failed 29189/-3, size 24-8 line 3147
15:42:09 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  357.001777][ T3405] binder: 3404:3405 ioctl 40046207 0 returned -16
15:42:09 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x2, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  357.136887][ T3524] binder: 3523:3524 got transaction with invalid offsets ptr
15:42:10 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6800, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  357.180551][ T3524] binder: 3523:3524 transaction failed 29201/-14, size 24-2 line 3193
15:42:10 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  357.231124][ T3527] binder_alloc: binder_alloc_mmap_handler: 3523 20001000-20004000 already mapped failed -16
[  357.257337][ T3556] binder: BINDER_SET_CONTEXT_MGR already set
15:42:10 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)
r3 = add_key(&(0x7f0000000000)='cifs.idmap\x00', &(0x7f0000000040)={'syz', 0x2}, &(0x7f00000002c0)="a83dea0be32cdc1454e2e5b54c4ead0948682e9dd8d023f459ecad8a8933411554eb1cd4b8184db9c205c362d3ee590ff2f7cb8026eddda62bc5e64381b761372ddf61b0bd57f4d83dab5bd9e3aa686b397f2f1b15fa4aeb71033c98831efa57351acb4f6587f066e658db0988d27e794de287dceb89f61f2c25a50331e5ff010183da9dffe87d4dfb2c510b6af3c5635a4fc81af01db2f1429f0b2baa1d433510f7ec394a3bbef350e56ca4f4eecbb91066dd27b31d56c68ed6b9", 0xbb, 0xffffffffffffffff)
keyctl$get_security(0x11, r3, &(0x7f0000000380)=""/231, 0xe7)

[  357.310203][ T3556] binder: 3553:3556 ioctl 40046207 0 returned -16
[  357.323116][ T3635] binder: 3523:3635 transaction failed 29189/-3, size 24-8 line 3147
[  357.338817][ T3524] binder: BINDER_SET_CONTEXT_MGR already set
15:42:10 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x14d100, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:10 executing program 1:
mkdir(&(0x7f0000000080)='./file0\x00', 0x0)
chmod(&(0x7f0000000000)='./file0\x00', 0x104)
r0 = creat(&(0x7f0000000140)='./file0\x00', 0x42)
setns(r0, 0x20000000)
ioctl$SNDRV_TIMER_IOCTL_GINFO(r0, 0xc0e05403, &(0x7f0000000240)={{0xffffffffffffffff, 0x0, 0x3ff, 0x0, 0x3}, 0x3, 0x7ff, 'id0\x00', 'timer1\x00', 0x0, 0x9, 0x1, 0x2, 0x40})
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r1 = syz_genetlink_get_family_id$net_dm(&(0x7f0000000180)='NET_DM\x00')
sendmsg$NET_DM_CMD_START(r0, &(0x7f0000000380)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x8000008}, 0xc, &(0x7f0000000340)={&(0x7f00000001c0)={0x14, r1, 0x311, 0x70bd29, 0x25dfdbfe, {}, ["", "", ""]}, 0x14}, 0x1, 0x0, 0x0, 0x4004000}, 0x8000)

[  357.399542][ T3524] binder: 3523:3524 ioctl 40046207 0 returned -16
[  357.399565][   T17] binder: release 3523:3524 transaction 1289 out, still active
[  357.406200][ T3527] binder: 3523:3527 transaction failed 29189/-3, size 24-2 line 3147
[  357.428089][   T17] binder: unexpected work type, 4, not freed
15:42:10 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x18, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:10 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6c00, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  357.474585][   T17] binder_release_work: 37 callbacks suppressed
[  357.474592][   T17] binder: undelivered TRANSACTION_ERROR: 29201
15:42:10 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
sched_yield()
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  357.553243][   T17] binder: undelivered TRANSACTION_ERROR: 29189
[  357.566560][ T3762] binder: BINDER_SET_CONTEXT_MGR already set
[  357.577238][   T17] binder: undelivered TRANSACTION_ERROR: 29189
[  357.637976][ T3773] binder: BINDER_SET_CONTEXT_MGR already set
[  357.645057][ T3762] binder: 3759:3762 ioctl 40046207 0 returned -16
[  357.675020][ T3813] binder: 3759:3813 transaction failed 29189/-22, size 24-24 line 2994
15:42:10 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  357.675056][   T17] binder: send failed reply for transaction 1289, target dead
[  357.692025][ T3773] binder: 3768:3773 ioctl 40046207 0 returned -16
[  357.710534][ T3796] binder: 3759:3796 transaction failed 29189/-22, size 24-8 line 2994
15:42:10 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
lgetxattr(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)=@known='system.posix_acl_default\x00', &(0x7f0000000140)=""/136, 0x88)

[  357.815511][ T3796] binder: 3759:3796 transaction failed 29189/-3, size 24-8 line 3147
[  357.860392][    T5] binder: undelivered TRANSACTION_ERROR: 29189
[  357.869428][    T5] binder: undelivered TRANSACTION_ERROR: 29189
15:42:10 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0xf7ffffffffefff7c, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:10 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7400, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  357.901400][    T5] binder: undelivered TRANSACTION_ERROR: 29189
15:42:10 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x1800, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  358.052233][ T4099] binder: BINDER_SET_CONTEXT_MGR already set
[  358.064822][ T4099] binder: 4085:4099 ioctl 40046207 0 returned -16
15:42:11 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2, 0x0)

[  358.106902][ T4099] binder: 4085:4099 transaction failed 29201/-28, size 24-6144 line 3147
15:42:11 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7a00, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:11 executing program 5:
r0 = syz_open_dev$midi(&(0x7f0000000000)='/dev/midi#\x00', 0x9, 0x40)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  358.182905][    T5] binder_send_failed_reply: 9 callbacks suppressed
[  358.182915][    T5] binder: send failed reply for transaction 1300 to 3986:3987
[  358.228421][ T4197] binder: 4085:4197 transaction failed 29189/-3, size 24-8 line 3147
[  358.230765][ T4201] binder: BINDER_SET_CONTEXT_MGR already set
[  358.247492][    T5] binder: send failed reply for transaction 1301 to 4085:4192
15:42:11 executing program 1:
mkdir(&(0x7f0000000000)='./file0\x00', 0x0)
r0 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vsock\x00', 0x4000, 0x0)
recvmsg(r0, &(0x7f00000000c0)={&(0x7f0000000140)=@xdp, 0x80, &(0x7f00000001c0)=[{&(0x7f00000000c0), 0x275}], 0x1, &(0x7f0000000240)=""/254, 0xffffffffffffff48}, 0x10102)
clone(0x80000800, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:11 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3, 0x0)

[  358.274317][    T5] binder: undelivered TRANSACTION_ERROR: 29189
[  358.281471][ T4201] binder: 4198:4201 ioctl 40046207 0 returned -16
[  358.303251][    T5] binder: undelivered TRANSACTION_ERROR: 29189
[  358.312129][    T5] binder: undelivered TRANSACTION_ERROR: 29201
[  358.342778][    T5] binder: undelivered TRANSACTION_ERROR: 29189
15:42:11 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x1000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:11 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x1000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  358.491622][ T4322] binder: 4321:4322 transaction failed 29201/-28, size 24-16777216 line 3147
[  358.529768][ T4324] binder: BINDER_SET_CONTEXT_MGR already set
15:42:11 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000140)='/dev/dlm-monitor\x00', 0x8c002, 0x0)
syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f000000f000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x155559d7, 0xffffffe, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
setsockopt$inet_tcp_TCP_REPAIR(r1, 0x6, 0x13, &(0x7f0000000400), 0x4)
getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r1, 0x84, 0x72, &(0x7f00000002c0)={<r3=>0x0, 0x80000000, 0x30}, &(0x7f0000000300)=0xc)
setsockopt$inet_sctp6_SCTP_SET_PEER_PRIMARY_ADDR(r1, 0x84, 0x5, &(0x7f0000000340)={r3, @in={{0x2, 0x4e20, @initdev={0xac, 0x1e, 0x0, 0x0}}}}, 0x84)
r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x40083, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
lsetxattr$security_smack_transmute(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='security.SMACK64TRANSMUTE\x00', &(0x7f0000000080)='TRUE', 0x4, 0x1)
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x4cd, 0x0, 0x0, 0x0, 0x0, 0x2000002, 0x0, 0x0, 0x2], 0x1f000, 0x10000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)

[  358.538701][ T4324] binder: 4323:4324 ioctl 40046207 0 returned -16
15:42:11 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
prctl$PR_GET_SECCOMP(0x15)
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  358.568194][    T5] binder: release 4321:4322 transaction 1308 out, still active
[  358.588216][    T5] binder: unexpected work type, 4, not freed
[  358.611019][    T5] binder: send failed reply for transaction 1308, target dead
15:42:11 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x2000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  358.676007][    T5] binder: send failed reply for transaction 1312 to 4323:4324
15:42:11 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x2000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:11 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4, 0x0)

[  358.724913][    T5] binder_release_work: 9 callbacks suppressed
[  358.724920][    T5] binder: undelivered TRANSACTION_COMPLETE
[  358.755559][ T4455] binder: BINDER_SET_CONTEXT_MGR already set
[  358.791394][ T4481] binder_alloc_new_buf_locked: 8 callbacks suppressed
[  358.791402][ T4481] binder_alloc: 4452: binder_alloc_buf, no vma
15:42:11 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
uselib(&(0x7f0000000140)='./file0\x00')
mount(&(0x7f0000000240)=ANY=[@ANYBLOB="5b643a3a5d3a2f6c6c623a003cb589a2701ddceaa8e96eb7405d753761b171bc70cdb3e7212a58bec2aa6efae1f322e23d30a357c1b5ab9550a7eb5f22f7fe975cee00d1bc582da18dad595ee2ea6527f57cf570dc1108d2fe02dd5933252f3d063bb0a12f35e83a7dd411efa9e41911106c2d10157e29eb9597e9b1bf5872b06846f95eef83e1443ea3eda5ab8b8484d7c24ef7842ce15801f511a888325d3a3006ad7c0f03000000d2840193e32cb5f74b24d88a7130f7df26bebbb54ecd73a9ef354f15ac7c4ee7f20644ed"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  358.870308][   T17] binder: release 4452:4455 transaction 1315 out, still active
[  358.879553][ T4455] binder: 4452:4455 ioctl 40046207 0 returned -16
[  358.889487][   T17] binder: unexpected work type, 4, not freed
15:42:11 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x18000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:11 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x1, 0x0)
inotify_add_watch(r2, &(0x7f0000000040)='./file0\x00', 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  358.911086][   T17] binder: undelivered TRANSACTION_COMPLETE
[  358.940669][   T17] binder: send failed reply for transaction 1315, target dead
[  359.090573][ T4566] binder: BINDER_SET_CONTEXT_MGR already set
[  359.109379][ T4566] binder: 4552:4566 ioctl 40046207 0 returned -16
[  359.124797][ T4601] binder_alloc_mmap_handler: 4 callbacks suppressed
[  359.124815][ T4601] binder_alloc: binder_alloc_mmap_handler: 4552 20001000-20004000 already mapped failed -16
[  359.151159][ T4566] binder: BINDER_SET_CONTEXT_MGR already set
[  359.157697][ T4566] binder: 4552:4566 ioctl 40046207 0 returned -16
[  359.170435][   T17] binder: release 4552:4566 transaction 1322 out, still active
[  359.181270][   T17] binder: unexpected work type, 4, not freed
15:42:12 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0xfdfdffff, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  359.201392][   T17] binder: undelivered TRANSACTION_COMPLETE
[  359.222269][   T17] binder: release 4552:4601 transaction 1326 out, still active
15:42:12 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x3000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:12 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x5, 0x0)

15:42:12 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$KVM_CHECK_EXTENSION(r0, 0xae03, 0x7ff)
r2 = openat$null(0xffffffffffffff9c, &(0x7f0000000140)='/dev/null\x00', 0x400001, 0x0)
ioctl$CAPI_NCCI_GETUNIT(r2, 0x80044327, &(0x7f0000000340)=0x100000000)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
openat$fuse(0xffffffffffffff9c, &(0x7f0000000000)='/dev/fuse\x00', 0x2, 0x0)
ioctl$TIOCGPTPEER(r3, 0x5441, 0x86c8)
getpeername$unix(r3, &(0x7f00000002c0)=@abs, &(0x7f0000000080)=0x6e)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

[  359.267458][   T17] binder: unexpected work type, 4, not freed
[  359.291265][   T17] binder: undelivered TRANSACTION_COMPLETE
[  359.300593][ T4667] binder: BINDER_SET_CONTEXT_MGR already set
[  359.347726][   T17] binder: send failed reply for transaction 1321 to 4544:4546
[  359.358966][ T4667] binder: 4666:4667 ioctl 40046207 0 returned -16
[  359.379602][   T17] binder: send failed reply for transaction 1322, target dead
[  359.411351][ T4693] binder_alloc: binder_alloc_mmap_handler: 4666 20001000-20004000 already mapped failed -16
[  359.429769][   T17] binder: send failed reply for transaction 1326, target dead
[  359.447845][   T17] binder: undelivered TRANSACTION_COMPLETE
[  359.458470][ T4738] binder: BINDER_SET_CONTEXT_MGR already set
15:42:12 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
lsetxattr$trusted_overlay_opaque(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='trusted.overlay.opaque\x00', &(0x7f00000000c0)='y\x00', 0x2, 0x1)

[  359.491801][ T4738] binder: 4666:4738 ioctl 40046207 0 returned -16
15:42:12 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:12 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0xfffffdfd, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  359.547727][   T17] binder: release 4666:4693 transaction 1331 out, still active
[  359.578373][   T17] binder: unexpected work type, 4, not freed
15:42:12 executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000440)='/dev/nullb0\x00', 0x2000, 0x0)
r1 = dup(r0)
ioctl$CAPI_GET_FLAGS(r1, 0x80044323, &(0x7f0000000780))
r2 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000480)='/proc/capi/capi20ncci\x00', 0x14800, 0x0)
r3 = socket$inet_smc(0x2b, 0x1, 0x0)
r4 = syz_open_dev$dmmidi(&(0x7f00000004c0)='/dev/dmmidi#\x00', 0x1, 0x8000)
r5 = dup3(r4, r3, 0x80000)
getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(r4, 0x84, 0x1f, &(0x7f0000000580)={<r6=>0x0, @in={{0x2, 0x4e22, @broadcast}}, 0x7, 0x6}, &(0x7f0000000640)=0x88)
write$FUSE_NOTIFY_POLL(r2, &(0x7f0000000740)={0x18, 0x1, 0x0, {0x5}}, 0x18)
getsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f00000006c0)={r6, 0x20, &(0x7f0000000680)=[@in={0x2, 0x4e22, @local}, @in={0x2, 0x4e22, @rand_addr=0x9}]}, &(0x7f0000000700)=0xc)
ioctl$SG_GET_ACCESS_COUNT(r5, 0x2289, &(0x7f0000000400))
ioctl$VHOST_SET_LOG_BASE(r4, 0x4008af04, &(0x7f0000000540)=&(0x7f0000000500))
r7 = openat$capi20(0xffffffffffffff9c, &(0x7f0000000000)='/dev/capi20\x00', 0x800, 0x0)
ioctl$FS_IOC_FSSETXATTR(r7, 0x401c5820, &(0x7f0000000040)={0x7fd00b3f, 0x830, 0x6c, 0x1, 0x1})
r8 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x40a00, 0x0)
r9 = openat$proc_capi20(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/capi/capi20\x00', 0x2, 0x0)
ioctl$UFFDIO_REGISTER(r9, 0xc020aa00, &(0x7f00000002c0)={{&(0x7f0000018000/0x2000)=nil, 0x2000}, 0x3})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r10 = ioctl$KVM_CREATE_VM(r8, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r11 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r12 = ioctl$KVM_CREATE_VCPU(r10, 0xae41, 0x0)
ioctl$KVM_S390_INTERRUPT_CPU(r11, 0x4010ae94, &(0x7f0000000080)={0x7ff, 0x8, 0x81})
setsockopt$inet6_tcp_TCP_MD5SIG(r11, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x4e20, 0x80000001, @mcast2, 0xfffffffffffffffa}}, 0x0, 0x22a9, 0x0, "9b58a5f807b1c0f706ad20c108a508765bab871aeb9847d30a9dc14829ff246207ca6581627810d04d4c30a840e607251244d69fa0c8ac4adf7ab7ba201f18cfd8044855294875097f549070e03f62de"}, 0xd8)
ioctl$KVM_SET_USER_MEMORY_REGION(r10, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r12, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r12, 0xae80, 0x0)

[  359.611238][   T17] binder: undelivered TRANSACTION_COMPLETE
[  359.635988][   T17] binder: send failed reply for transaction 1330 to 4718:4725
15:42:12 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x6, 0x0)

[  359.669778][ T4898] binder: BINDER_SET_CONTEXT_MGR already set
[  359.682564][   T17] binder: send failed reply for transaction 1331, target dead
[  359.702131][ T4898] binder: 4891:4898 ioctl 40046207 0 returned -16
[  359.719252][   T17] binder: undelivered TRANSACTION_COMPLETE
[  359.745249][ T5020] binder_alloc: binder_alloc_mmap_handler: 4891 20001000-20004000 already mapped failed -16
15:42:12 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x5000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:12 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$full(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/full\x00', 0x46a440, 0x0)
r3 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000300)='/proc/capi/capi20ncci\x00', 0x200, 0x0)
ioctl$TIOCGPGRP(r3, 0x540f, &(0x7f0000000140)=<r4=>0x0)
r5 = mmap$binder(&(0x7f000001d000/0x4000)=nil, 0x4000, 0x2000000, 0x10, r2, 0x0)
r6 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000680)='IPVS\x00')
sendmsg$IPVS_CMD_GET_INFO(r2, &(0x7f00000007c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x1000}, 0xc, &(0x7f0000000780)={&(0x7f00000006c0)={0x88, r6, 0x10, 0x70bd2c, 0x25dfdbfe, {}, [@IPVS_CMD_ATTR_DEST={0x54, 0x2, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0xa000000000000}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x8}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x3}, @IPVS_DEST_ATTR_WEIGHT={0x8, 0x4, 0x200}, @IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x7f}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x6}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x2}, @IPVS_DEST_ATTR_FWD_METHOD={0x8}, @IPVS_DEST_ATTR_FWD_METHOD={0x8}]}, @IPVS_CMD_ATTR_DEST={0x14, 0x2, [@IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x8000}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e20}]}, @IPVS_CMD_ATTR_SERVICE={0xc, 0x1, [@IPVS_SVC_ATTR_AF={0x8, 0x1, 0x2}]}]}, 0x88}, 0x1, 0x0, 0x0, 0x44040}, 0x40)
r7 = mmap$binder(&(0x7f0000008000/0x3000)=nil, 0x3000, 0x0, 0x10010, r2, 0x0)
r8 = mmap$binder(&(0x7f0000018000/0x1000)=nil, 0x1000, 0x2, 0x28030, r2, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000640)={0xe8, 0x0, &(0x7f0000000480)=[@reply_sg={0x40486312, {{0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000000), &(0x7f0000000080)=[0x38]}, 0xfffffffffffffe01}}, @transaction_sg={0x40486311, {{0x4, 0x0, 0x4, 0x0, 0x1, 0x0, 0x0, 0x30, 0x8, &(0x7f0000000340)=[@flat={0x77682a85, 0x100, r5, 0x3}, @flat={0x77682a85, 0xb, r7, 0x1}], &(0x7f0000000380)=[0x20]}, 0x40}}, @exit_looper, @reply_sg={0x40486312, {{0x4, 0x0, 0x2, 0x0, 0x10, 0x0, 0x0, 0x50, 0x30, &(0x7f00000003c0)=[@fd={0x66642a85, 0x0, r2}, @flat={0x77622a85, 0xa, r8, 0x1}, @fda={0x66646185, 0x1, 0x1, 0x1c}], &(0x7f0000000440)=[0x78, 0x18, 0x78, 0x38, 0x68, 0x0]}, 0x2}}], 0xb6, 0x0, &(0x7f0000000580)="ba92e758cb882bd52dec03369169efeb92b82c4be38d63bf1818261d697078350021198058b36a480d1326c09e5845dbdd69d16a226d581d5a1dc0fc8651f61bbcc78422501618d88e8d7e83350ac715ca6c3655c3ab179ee1c6bcc3e78d085b29e5f1fe3c7ebce653b841eb9f17d3197db5f52e17972ba25f5cd225a570801fa0f1eed9962393dec4dd1e1ed1a29af2e015d038a9993a979ee7b6ea0c058e93fac38e1a32963fcabfd4b4258af914c4fc7f66940c62"})
r9 = gettid()
setpgid(r4, r9)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r10 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r10, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r10, 0xae80, 0x0)

[  359.825857][    T5] binder: release 4891:5020 transaction 1337 out, still active
[  359.834002][    T5] binder: unexpected work type, 4, not freed
15:42:12 executing program 1:
r0 = openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x400, 0x0)
ioctl$KVM_X86_SETUP_MCE(r0, 0x4008ae9c, &(0x7f0000000080)={0x9, 0x3, 0xb0d})
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
ioctl$VIDIOC_STREAMON(r0, 0x40045612, &(0x7f0000000040)=0x4)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000100)=ANY=[@ANYBLOB="5b643a3c5de574300d892307d9527f3a2f6c6c623a00"], &(0x7f00000000c0)='./file0\x00', &(0x7f0000000180)='anon_inodefs\x00', 0x240008, 0x0)

[  359.873854][    T5] binder: undelivered TRANSACTION_COMPLETE
[  359.905905][    T5] binder: send failed reply for transaction 1336 to 4893:4895
15:42:12 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x100000000000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:12 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7, 0x0)

[  359.979436][    T5] binder: send failed reply for transaction 1337, target dead
[  360.004049][ T5119] binder: BINDER_SET_CONTEXT_MGR already set
[  360.010846][    T5] binder: send failed reply for transaction 1341 to 4891:5020
[  360.041895][ T5119] binder: 5118:5119 ioctl 40046207 0 returned -16
[  360.042269][    T5] binder: undelivered TRANSACTION_COMPLETE
[  360.086467][ T5243] binder_alloc: binder_alloc_mmap_handler: 5118 20001000-20004000 already mapped failed -16
[  360.100592][    T5] binder: undelivered TRANSACTION_COMPLETE
15:42:13 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:13 executing program 1:
lsetxattr$trusted_overlay_origin(&(0x7f0000000180)='./file0\x00', &(0x7f00000001c0)='trusted.overlay.origin\x00', &(0x7f0000000240)='y\x00', 0x2, 0x1)
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102000ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = syz_open_pts(0xffffffffffffffff, 0x200)
ioctl$TCSBRKP(r0, 0x5425, 0xa19)
mount(&(0x7f0000000000)=ANY=[@ANYBLOB="880000005d3a2f6cba4a3a5d9e2a2a00"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f00000004c0)='/dev/dlm-monitor\x00', 0x8000, 0x0)
r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000300)='TIPC\x00')
sendmsg$TIPC_CMD_GET_REMOTE_MNG(r1, &(0x7f0000000400)={&(0x7f00000002c0), 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x1c, r2, 0x410, 0x70bd2d, 0x25dfdbff, {}, [""]}, 0x1c}, 0x1, 0x0, 0x0, 0x20000000}, 0x40000)
mount(&(0x7f0000000280)=ANY=[@ANYBLOB="2f6465762f6e756c6c621800e9561b4b3255d78c9f69e509f9b35ea8da0617f65bf94b2a553bf4ff46225a87e23477d2c4e3c50becc7b7078828b3faca"], &(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='udf\x00', 0x0, &(0x7f0000000140)='ppp0{\x00')

[  360.139842][ T7756] binder: send failed reply for transaction 1345 to 5106:5110
[  360.153671][ T5321] binder_alloc: 5118: binder_alloc_buf, no vma
[  360.158821][ T7756] binder: send failed reply for transaction 1346 to 5118:5243
15:42:13 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
fcntl$getownex(r2, 0x10, &(0x7f0000000000)={0x0, <r3=>0x0})
prlimit64(r3, 0x1, &(0x7f0000000040)={0x7, 0x3f}, &(0x7f0000000080))
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:13 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x200000000000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  360.251213][ T5352] ceph: device name is missing path (no : separator in �)
15:42:13 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8, 0x0)

15:42:13 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  360.362083][ T7756] binder: send failed reply for transaction 1353 to 5323:5324
[  360.409765][ T5538] binder_alloc: binder_alloc_mmap_handler: 5507 20001000-20004000 already mapped failed -16
15:42:13 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
getresuid(&(0x7f0000000240)=<r0=>0x0, &(0x7f0000000280)=<r1=>0x0, &(0x7f00000002c0)=<r2=>0x0)
getgroups(0x2, &(0x7f0000000300)=[<r3=>0x0, 0x0])
getxattr(&(0x7f0000000640)='./file0\x00', &(0x7f0000000900)=ANY=[@ANYRES32=r0], &(0x7f00000006c0)=""/170, 0xaa)
getgroups(0x7, &(0x7f0000000380)=[0xffffffffffffffff, 0xee00, 0x0, 0x0, 0x0, <r4=>0xee01, <r5=>0xffffffffffffffff])
fstat(0xffffffffffffff9c, &(0x7f00000003c0)={0x0, 0x0, 0x0, 0x0, <r6=>0x0, <r7=>0x0})
getresgid(&(0x7f0000000440), &(0x7f0000000480)=<r8=>0x0, &(0x7f00000004c0))
stat(&(0x7f0000000500)='./file0\x00', &(0x7f0000000540)={0x0, 0x0, 0x0, 0x0, <r9=>0x0})
setxattr$system_posix_acl(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='system.posix_acl_access\x00', &(0x7f0000000780)={{}, {0x1, 0x4}, [{0x2, 0x1, r0}, {0x2, 0x3, r2}, {0x2, 0x2, r6}, {0x2, 0x6, r0}, {0x2, 0x2, r6}, {0x2, 0x2, r9}, {0x2, 0x4, r1}, {0x2, 0x2, r0}, {0x2, 0x1, r6}, {0x2, 0x2, r0}], {0x4, 0x5}, [{0x8, 0x2, r3}, {0x8, 0x1, r5}, {0x8, 0x4, r7}, {0x8, 0x5, r8}, {0x8, 0x2, r4}], {0x10, 0x4}, {0x20, 0x1}}, 0x9c, 0x2)
r10 = openat$dlm_control(0xffffffffffffff9c, &(0x7f00000005c0)='/dev/dlm-control\x00', 0x200, 0x0)
r11 = ioctl$LOOP_CTL_GET_FREE(0xffffffffffffffff, 0x4c82)
ioctl$LOOP_CTL_REMOVE(r10, 0x4c81, r11)
r12 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x800, 0x0)
setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_ADD(r12, 0x84, 0x64, &(0x7f0000000140)=[@in={0x2, 0x4e22, @local}, @in6={0xa, 0x4e22, 0x9, @loopback}, @in6={0xa, 0x4e20, 0x3, @local, 0x2}, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x12}}, @in={0x2, 0x4e20, @dev={0xac, 0x14, 0x14, 0x24}}, @in6={0xa, 0x4e20, 0x80, @ipv4={[], [], @multicast1}, 0x5}], 0x84)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  360.467465][ T5510] binder: BINDER_SET_CONTEXT_MGR already set
[  360.488883][ T5510] binder: 5507:5510 ioctl 40046207 0 returned -16
[  360.494660][ T5542] binder: BINDER_SET_CONTEXT_MGR already set
15:42:13 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
clock_adjtime(0x1, &(0x7f00000002c0)={0x3000000000, 0x1000, 0x40, 0x1, 0x2, 0x5, 0x1, 0x100000001, 0x7, 0x100000000, 0x66, 0x4, 0x5, 0x6, 0x3, 0x3ff, 0x7ff, 0x4, 0x9, 0x8000, 0x1ff, 0x20, 0x1b15, 0x7ff, 0x0, 0x3})
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$SNDRV_CTL_IOCTL_ELEM_REMOVE(r2, 0xc0405519, &(0x7f0000000080)={0x7, 0x7, 0x4, 0x6, '\x00', 0x9})
syz_open_dev$ndb(&(0x7f0000000000)='/dev/nbd#\x00', 0x0, 0x4000)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  360.529665][ T5542] binder: 5541:5542 ioctl 40046207 0 returned -16
[  360.537137][ T5545] binder_alloc: 5507: binder_alloc_buf, no vma
15:42:13 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x1800000000000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:13 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xa, 0x0)

15:42:13 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xa000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  360.697296][ T5658] binder_alloc: binder_alloc_mmap_handler: 5656 20001000-20004000 already mapped failed -16
[  360.788860][ T5657] binder: BINDER_SET_CONTEXT_MGR already set
[  360.828525][ T5657] binder: 5656:5657 ioctl 40046207 0 returned -16
[  360.836099][ T5693] binder: BINDER_SET_CONTEXT_MGR already set
[  360.851417][ T5693] binder: 5691:5693 ioctl 40046207 0 returned -16
[  360.851730][ T5658] binder_alloc: 5656: binder_alloc_buf, no vma
[  360.865092][ T7756] binder: release 5656:5657 transaction 1362 out, still active
[  360.875013][ T7756] binder: unexpected work type, 4, not freed
15:42:13 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)
write$P9_RLOCK(r2, &(0x7f0000000000)={0x8, 0x35, 0x1, 0x3}, 0x8)

15:42:13 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
r0 = openat$null(0xffffffffffffff9c, &(0x7f0000000000)='/dev/null\x00', 0xc0, 0x0)
ioctl$KVM_SET_VAPIC_ADDR(r0, 0x4008ae93, &(0x7f0000000080)=0x100000)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  360.881987][ T7756] binder: send failed reply for transaction 1362, target dead
[  360.901979][ T5737] binder_alloc: 5656: binder_alloc_buf, no vma
15:42:13 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0xfdfdffff00000000, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:13 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x20000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:13 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x200, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:14 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xca, 0x0)

[  361.088464][ T5889] binder_alloc: binder_alloc_mmap_handler: 5875 20001000-20004000 already mapped failed -16
15:42:14 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
syz_extract_tcp_res(&(0x7f0000000040), 0xffffffffffffffff, 0x80000001)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
getsockopt$bt_BT_POWER(r2, 0x112, 0x9, &(0x7f0000000080)=0x2, &(0x7f0000000140)=0x1)
ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0x4)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_ASSIGN_SET_INTX_MASK(r1, 0x4040aea4, &(0x7f0000000000)={0x9b, 0x21f5, 0x81, 0x2, 0x200})

[  361.155155][ T5892] binder: BINDER_SET_CONTEXT_MGR already set
[  361.168228][ T5892] binder: 5891:5892 ioctl 40046207 0 returned -16
[  361.175008][ T5886] binder: BINDER_SET_CONTEXT_MGR already set
[  361.192002][ T5886] binder: 5875:5886 ioctl 40046207 0 returned -16
15:42:14 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf0, 0x0)

[  361.200579][ T5892] binder_alloc: 5875: binder_alloc_buf, no vma
[  361.211846][ T5897] binder_alloc: 5875: binder_alloc_buf, no vma
15:42:14 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x2}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:14 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x48000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  361.423476][ T6102] binder_alloc: binder_alloc_mmap_handler: 6091 20001000-20004000 already mapped failed -16
15:42:14 executing program 1:
r0 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x0, 0x0)
getpeername$packet(0xffffffffffffffff, &(0x7f0000002680)={0x11, 0x0, <r1=>0x0, 0x1, 0x0, 0x6, @local}, &(0x7f00000026c0)=0x14)
ioctl$TUNSETIFINDEX(r0, 0x400454da, &(0x7f0000002700)=r1)
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[@\x00\x00\x00\x00\x00\x00\x00b:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:14 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x124, 0x0)

15:42:14 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x4)
ioctl$FS_IOC_GET_ENCRYPTION_POLICY(r2, 0x400c6615, &(0x7f0000000000))
bind$vsock_stream(r3, &(0x7f0000000080)={0x28, 0x0, 0x2710, @host}, 0x10)
openat$smack_task_current(0xffffffffffffff9c, &(0x7f0000000140)='/proc/self/attr/current\x00', 0x2, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_PPC_GET_SMMU_INFO(r1, 0x8250aea6, &(0x7f0000000040)=""/25)
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
setsockopt$ARPT_SO_SET_REPLACE(r3, 0x0, 0x60, &(0x7f0000000300)={'filter\x00', 0x7, 0x4, 0x488, 0x134, 0x0, 0x0, 0x3a4, 0x3a4, 0x3a4, 0x4, &(0x7f00000002c0), {[{{@uncond, 0xf0, 0x134}, @unspec=@IDLETIMER={0x44, 'IDLETIMER\x00', 0x0, {0x3f, 'syz1\x00', 0x4}}}, {{@arp={@loopback, @remote, 0xff000000, 0xffffff00, @mac, {[0x0, 0xff, 0xff, 0x0, 0xff, 0xff]}, @empty, {[0x0, 0xff, 0xff]}, 0xa55, 0x40, 0x120000, 0x78e519b8, 0x55, 0xffffffffffff0000, 'veth0_to_hsr\x00', 'veth0_to_bond\x00', {0xff}, {0xff}}, 0xf0, 0x15c}, @unspec=@NFLOG={0x6c, 'NFLOG\x00', 0x0, {0x2000000020, 0x401, 0x9, 0x0, 0x0, "f0b29ee1b6349cc47d47a5d06ef5d55d0d229e119c6c1dc71754fa2c8d4d44a3465f9dbf1906dda57b18c238879e4b2a8257afe53ec710f4ae5b541dbbb8c8e7"}}}, {{@arp={@initdev={0xac, 0x1e, 0x0, 0x0}, @remote, 0xffffffff, 0xff000000, @empty, {[0xff, 0x0, 0x0, 0x0, 0xff, 0xff]}, @empty, {[0x0, 0x0, 0x0, 0x0, 0x0, 0xff]}, 0x0, 0x204, 0x6, 0x200, 0xfffffffffffffff7, 0x3f, 'eql\x00', 'hwsim0\x00', {0xff}, {0xff}}, 0xf0, 0x114}, @unspec=@AUDIT={0x24, 'AUDIT\x00'}}], {{[], 0xc0, 0xe4}, {0x24}}}}, 0x4d4)
ioctl$KVM_RUN(r4, 0xae80, 0x0)

[  361.507294][ T6112] binder: BINDER_SET_CONTEXT_MGR already set
[  361.542534][ T6112] binder: 6110:6112 ioctl 40046207 0 returned -16
[  361.549218][ T6092] binder_alloc: 6091: binder_alloc_buf, no vma
[  361.571001][ T6117] ceph: device name is missing path (no : separator in [@)
[  361.574514][   T17] binder: release 6091:6092 transaction 1376 out, still active
15:42:14 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  361.612103][ T6114] binder: BINDER_SET_CONTEXT_MGR already set
[  361.632933][ T6114] binder: 6091:6114 ioctl 40046207 0 returned -16
[  361.635511][   T17] binder: unexpected work type, 4, not freed
15:42:14 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x180, 0x0)

15:42:14 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x18}], 0x0}}}], 0x0, 0x0, 0x0})

[  361.681181][   T17] binder: send failed reply for transaction 1376, target dead
[  361.701585][   T17] binder: undelivered transaction 1379, process died.
15:42:14 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4c000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:14 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000140)=ANY=[@ANYBLOB="5b6403000000000000003a00e1742cec07645d60069b10a83058a8bc44d6c61172baf6f923a3d3212af30d4a9d1e2898d798e71aacf43bf079fb5c63c81512dd2e6b68254bd29bd132b0edfd8fae5c76ed2043c02a0e1ddf085179c757a6d30e0e"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:14 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
stat(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)={0x0, 0x0, 0x0, 0x0, <r3=>0x0})
getgroups(0x1, &(0x7f0000000140)=[<r4=>0xee01])
fchownat(r2, 0x0, r3, r4, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)

[  361.847878][ T6336] binder_alloc: binder_alloc_mmap_handler: 6315 20001000-20004000 already mapped failed -16
[  361.874659][ T6335] binder: BINDER_SET_CONTEXT_MGR already set
[  361.884810][ T6335] binder: 6315:6335 ioctl 40046207 0 returned -16
15:42:14 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r1 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$TCGETA(r1, 0x5405, &(0x7f0000000000))
ioctl$SG_GET_VERSION_NUM(r1, 0x2282, &(0x7f0000000140))
ioctl$VIDIOC_G_AUDIO(r0, 0x80345621, &(0x7f0000000380))
r2 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(0xffffffffffffffff, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)
bpf$MAP_DELETE_ELEM(0x3, &(0x7f0000000080)={r1, &(0x7f00000002c0)="4c37e1d8c245283ec8d7d80699ecb9b5cf881a2ed043797926b1162ded62453217be0859f125322072295d60a0663c63bd66a5162caedbc80d98e50d59fc5d355688670b45e557b7864776e22a08f66d306857f0b8b864d3aaee36ac36c501da19ae273afc82f429de3697755eca2468abc2c03b39543a19c7f75dc49c116bc7d2a913f71e59cbf072fc955e75dd2536aacd1244f68299e128df"}, 0x10)

[  361.922770][ T6336] binder_alloc: 6315: binder_alloc_buf, no vma
[  361.940529][ T6341] binder: BINDER_SET_CONTEXT_MGR already set
[  361.948662][ T6342] ceph: device name is missing path (no : separator in [d)
[  361.970803][ T6341] binder: 6339:6341 ioctl 40046207 0 returned -16
[  361.974913][   T17] binder: undelivered transaction 1385, process died.
15:42:14 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x1800}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:15 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x27a, 0x0)

15:42:15 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/audio\x00', 0x202000, 0x0)
ioctl$VIDIOC_ENUMSTD(r2, 0xc0405619, &(0x7f0000000080)={0x8, 0x10, "d567d5d524fd2f91f71d5c3e33b456576efac2ece5521825", {0x8, 0x4}, 0x1000})
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:15 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x60000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  362.153027][ T6525] binder_alloc: binder_alloc_mmap_handler: 6500 20001000-20004000 already mapped failed -16
15:42:15 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff})
recvfrom$unix(r0, &(0x7f0000000240)=""/247, 0xf7, 0x2000, &(0x7f0000000140)=@file={0x1, './file0\x00'}, 0x6e)
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r1 = openat$uhid(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/uhid\x00', 0x4, 0x0)
r2 = shmget$private(0x0, 0x4000, 0x200, &(0x7f0000ff9000/0x4000)=nil)
shmctl$IPC_INFO(r2, 0x3, &(0x7f00000005c0)=""/154)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
getsockopt$inet_sctp_SCTP_RESET_STREAMS(0xffffffffffffffff, 0x84, 0x77, 0x0, &(0x7f00000002c0))
setsockopt$inet6_int(0xffffffffffffffff, 0x29, 0xfb, &(0x7f00000001c0), 0x4)
prctl$PR_TASK_PERF_EVENTS_ENABLE(0x20)
mount(0x0, &(0x7f0000000000)='./file0\x00', 0x0, 0x0, 0x0)
capset(&(0x7f0000000040)={0x24020019980330}, &(0x7f0000000140))
clone(0x1ffc, 0x0, 0xfffffffffffffffe, &(0x7f0000000280), 0xffffffffffffffff)
setpriority(0x2, 0x0, 0x8)
write$UHID_INPUT2(r1, &(0x7f0000000280)={0xc, 0x1e, "1a4b2312b4f6ebb3b0dd3c9b30368772e44596e94a002697a98c91154aa7"}, 0x24)
readv(r1, &(0x7f0000000840)=[{&(0x7f0000000380)=""/90, 0x5a}, {&(0x7f0000000400)=""/77, 0x4d}], 0x2)
write$UHID_CREATE(r1, &(0x7f0000000480)={0x0, 'syz1\x00', 'syz1\x00', 'syz0\x00', &(0x7f0000000000)=""/11, 0xfffffffffffffed0}, 0x11c)
write$UHID_DESTROY(r1, &(0x7f0000000080), 0x4)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000100)={<r3=>0x0, 0xffffffffffffffff, 0x0, 0xe, &(0x7f0000000040)='l${proc^eth1&\x00'}, 0x30)
fcntl$F_GET_FILE_RW_HINT(r1, 0x40d, &(0x7f0000000180))
ioprio_set$pid(0x3, r3, 0x8)
r4 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x80, 0x0)
setsockopt$inet_tcp_int(r4, 0x6, 0xe, &(0x7f0000000040)=0x36, 0x399af204b16b906f)
mount(&(0x7f00000000c0)=ANY=[@ANYBLOB="5bd98ffa813a2f6c6c623a0085ea12ebe8a34f5a9cac607e46dcfd3df14809e007b96e52421e908fff8f16eb63170ea20800000000000000c6f965272cb1"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  362.225886][ T6514] binder: BINDER_SET_CONTEXT_MGR already set
[  362.249498][ T6514] binder: 6500:6514 ioctl 40046207 0 returned -16
[  362.250265][ T6564] binder_alloc: 6500: binder_alloc_buf, no vma
[  362.264200][ T6563] binder: BINDER_SET_CONTEXT_MGR already set
15:42:15 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x300, 0x0)

[  362.289134][ T6563] binder: 6562:6563 ioctl 40046207 0 returned -16
[  362.298566][ T7807] binder: undelivered transaction 1391, process died.
15:42:15 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f0000000000))
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$KVM_SIGNAL_MSI(r1, 0x4020aea5, &(0x7f0000000080)={0xf000, 0x1000, 0xffff, 0x8, 0x5eb})
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:15 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x68000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  362.427521][ T6564] binder_transaction: 19 callbacks suppressed
[  362.427536][ T6564] binder: 6500:6564 transaction failed 29189/-3, size 24-8 line 3147
15:42:15 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/expire_quiescent_template\x00', 0x2, 0x0)
getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(0xffffffffffffffff, 0x84, 0x9, &(0x7f00000002c0)={<r3=>0x0, @in={{0x2, 0x4e23, @rand_addr=0x80000001}}, 0x0, 0x0, 0x5, 0x101, 0x18}, &(0x7f0000000040)=0x98)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(r2, 0x84, 0x70, &(0x7f0000000380)={r3, @in={{0x2, 0x4e20, @broadcast}}, [0x6, 0x3, 0x39f394ad, 0x3, 0x3, 0x6, 0x5, 0x5, 0x3ff, 0xffffffff, 0x200, 0x6, 0x0, 0x3, 0x3]}, &(0x7f0000000080)=0x100)
r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
connect$rxrpc(r4, &(0x7f0000000880)=@in4={0x21, 0x0, 0x2, 0x10, {0x2, 0x4e23, @dev={0xac, 0x14, 0x14, 0xd}}}, 0x24)
getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000480)={{{@in=@initdev, @in=@remote}}, {{@in6=@dev}, 0x0, @in6=@mcast2}}, &(0x7f0000000140)=0xe8)
getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f0000000580)={{{@in6=@empty, @in6=@mcast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r5=>0x0}}, {{@in6=@ipv4={[], [], @local}}, 0x0, @in=@loopback}}, &(0x7f0000000680)=0xe8)
fchownat(0xffffffffffffffff, 0x0, r5, 0x0, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
write$RDMA_USER_CM_CMD_CREATE_ID(r2, &(0x7f0000000700)={0x0, 0x18, 0xfa00, {0x2, &(0x7f00000006c0)={<r7=>0xffffffffffffffff}, 0x2, 0x7}}, 0x20)
write$RDMA_USER_CM_CMD_RESOLVE_ADDR(r4, &(0x7f0000000740)={0x15, 0x110, 0xfa00, {r7, 0x1, 0x0, 0x0, 0x0, @ib={0x1b, 0x1ff, 0x10001, {"c31fd9f3a2adb484b796378619c58081"}, 0x9, 0x98, 0x40}, @in6={0xa, 0x4e21, 0x0, @ipv4={[], [], @dev={0xac, 0x14, 0x14, 0x20}}, 0x80000000}}}, 0x118)
ioctl$KVM_RUN(r6, 0xae80, 0x0)

15:42:15 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x1000000}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:15 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  362.568600][ T6784] binder: BINDER_SET_CONTEXT_MGR already set
[  362.591959][ T6784] binder: 6783:6784 ioctl 40046207 0 returned -16
[  362.598788][ T6787] binder: BINDER_SET_CONTEXT_MGR already set
[  362.609845][ T6787] binder: 6786:6787 ioctl 40046207 0 returned -16
15:42:15 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x378, 0x0)

[  362.643038][   T17] binder: undelivered transaction 1397, process died.
[  362.650800][ T6785] binder: 6783:6785 transaction failed 29189/-22, size 24-8 line 2994
[  362.668186][   T17] binder_release_work: 33 callbacks suppressed
[  362.668193][   T17] binder: undelivered TRANSACTION_ERROR: 29189
15:42:15 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x2000000}], 0x0}}}], 0x0, 0x0, 0x0})

[  362.716533][   T17] binder: undelivered TRANSACTION_ERROR: 29189
15:42:15 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x37c, 0x0)

15:42:15 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6c000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:15 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000400)='/dev/kvm\x00', 0x20000, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = syz_genetlink_get_family_id$tipc(&(0x7f0000000140)='TIPC\x00')
sendmsg$TIPC_CMD_SET_LINK_TOL(r2, &(0x7f0000000380)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000340)={&(0x7f00000002c0)={0x68, r3, 0x120, 0x70bd29, 0x25dfdbfd, {{}, 0x0, 0x4107, 0x0, {0x4c, 0x18, {0x9, @media='ib\x00'}}}, ["", "", "", ""]}, 0x68}, 0x1, 0x0, 0x0, 0x20000000}, 0x1)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
bind$pptp(r2, &(0x7f0000000000)={0x18, 0x2, {0x3, @empty}}, 0x1e)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

[  362.862915][ T6906] binder: BINDER_SET_CONTEXT_MGR already set
15:42:15 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(r2, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  362.910748][ T6906] binder: 6905:6906 ioctl 40046207 0 returned -16
[  362.910752][ T6920] binder: BINDER_SET_CONTEXT_MGR already set
[  362.910782][ T6920] binder: 6907:6920 ioctl 40046207 0 returned -16
[  362.936164][    T5] binder: release 6905:6906 transaction 1400 out, still active
[  362.944264][ T6918] binder: 6905:6918 transaction failed 29189/-3, size 24-8 line 3147
[  362.952745][    T5] binder: unexpected work type, 4, not freed
15:42:15 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3b8, 0x0)

15:42:15 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
pipe2(&(0x7f0000000000)={<r0=>0xffffffffffffffff}, 0x80000)
getsockopt$inet_tcp_int(r0, 0x6, 0x37, &(0x7f0000000080), &(0x7f00000000c0)=0x4)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[d::]:/llb;\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  362.970697][    T5] binder: send failed reply for transaction 1400, target dead
[  363.000870][    T5] binder: undelivered transaction 1403, process died.
15:42:16 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x18000000}], 0x0}}}], 0x0, 0x0, 0x0})

[  363.048459][    T5] binder: undelivered TRANSACTION_ERROR: 29189
15:42:16 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3d0, 0x0)

15:42:16 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x74000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  363.163104][ T7131] binder: BINDER_SET_CONTEXT_MGR already set
15:42:16 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x80000, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  363.203472][ T7131] binder: 7130:7131 ioctl 40046207 0 returned -16
15:42:16 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3ea, 0x0)

[  363.257411][ T7133] binder: 7130:7133 transaction failed 29189/-3, size 24-8 line 3147
[  363.269164][ T7141] binder: BINDER_SET_CONTEXT_MGR already set
[  363.321246][ T7141] binder: 7140:7141 ioctl 40046207 0 returned -16
[  363.321564][T26837] binder: undelivered TRANSACTION_ERROR: 29189
15:42:16 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0xfdfdffff}], 0x0}}}], 0x0, 0x0, 0x0})

[  363.367975][T26837] binder_send_failed_reply: 5 callbacks suppressed
[  363.367985][T26837] binder: send failed reply for transaction 1406 to 7130:7131
[  363.406503][T26837] binder: undelivered transaction 1409, process died.
15:42:16 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3f6, 0x0)

[  363.435003][T26837] binder: undelivered TRANSACTION_ERROR: 29189
[  363.454475][ T7263] binder: BINDER_SET_CONTEXT_MGR already set
15:42:16 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
getpeername$netlink(r2, &(0x7f0000000000), &(0x7f0000000040)=0xc)
prctl$PR_GET_CHILD_SUBREAPER(0x25)
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  363.484916][ T7279] binder: 7233:7279 transaction failed 29189/-3, size 24-8 line 3147
[  363.521308][T26837] binder: release 7233:7263 transaction 1412 out, still active
15:42:16 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="000000003f00000002000000"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  363.534870][ T7263] binder: 7233:7263 ioctl 40046207 0 returned -16
[  363.544825][T26837] binder: unexpected work type, 4, not freed
15:42:16 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7a000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  363.580123][T26837] binder: undelivered TRANSACTION_ERROR: 29189
15:42:16 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0xfffffdfd}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:16 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x500, 0x0)

[  363.638753][T26837] binder: send failed reply for transaction 1412, target dead
[  363.676262][T26837] binder: undelivered transaction 1415, process died.
[  363.764902][ T7441] binder: BINDER_SET_CONTEXT_MGR already set
[  363.786746][ T7441] binder: 7412:7441 ioctl 40046207 0 returned -16
[  363.808537][ T7441] binder: BINDER_SET_CONTEXT_MGR already set
15:42:16 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
getrandom(&(0x7f0000000240)=""/196, 0xc4, 0x2)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[d::]:/l|b:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:16 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000000)={0x1, 0x3, 0x4000000000, 0x2000, &(0x7f0000015000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:16 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xfdfdffff, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  363.826433][T26837] binder: release 7412:7441 transaction 1419 out, still active
[  363.840947][ T7441] binder: 7412:7441 ioctl 40046207 0 returned -16
[  363.847675][T26837] binder: unexpected work type, 4, not freed
15:42:16 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x100000000000000}], 0x0}}}], 0x0, 0x0, 0x0})

[  363.879487][T26837] binder_release_work: 20 callbacks suppressed
[  363.879492][T26837] binder: undelivered TRANSACTION_COMPLETE
[  363.916381][T26837] binder: undelivered TRANSACTION_COMPLETE
15:42:16 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  363.951864][T26837] binder: send failed reply for transaction 1418 to 7362:7363
[  363.996169][T26837] binder: send failed reply for transaction 1419, target dead
[  364.033717][ T7736] binder: BINDER_SET_CONTEXT_MGR already set
[  364.034308][T26837] binder: undelivered transaction 1422, process died.
15:42:17 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x600, 0x0)

15:42:17 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000240)=ANY=[@ANYBLOB="1b00623a9f7fc259ec4452aa3cd4b89bdf53e1a572ae0129d8f17f5415ebce05557fb37e344b8fa4fd5d55c0eff83e90c97069e5be8eb63d5ab6c2d6b7dcbab6a3ed447f68d23d7c2f8d170fb77f84c77c50faa7713fa2fff4a9eb678db03b5d8e6c03c0e9baa692a1bb419bb726d018bdbae3b6489ec6a0fc9f55f37b6b88aec2d470f8bcddeb6e6f727849d20b7c73c69e1b1f547942856d7a177812f30154aa1ac971f554f976083d48bc7af024c7df416e98a6e117cceb548f9f925f39cf6d8ef3c99311c98be6b088456fe01f80f19697efe1680fd08eae38af"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/amemthresh\x00', 0x2, 0x0)
ioctl$ifreq_SIOCGIFINDEX_team(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'team0\x00', <r1=>0x0})
setsockopt$RDS_GET_MR_FOR_DEST(r0, 0x114, 0x7, &(0x7f0000000140)={@ll={0x11, 0xff, r1, 0x1, 0x2, 0x6, @local}, {&(0x7f0000000380)=""/255, 0xff}, &(0x7f0000000080), 0x50}, 0x9c)

[  364.039749][ T7736] binder: 7675:7736 ioctl 40046207 0 returned -16
[  364.119496][T26837] binder: send failed reply for transaction 1423 to 7412:7580
[  364.134931][ T7828] binder: BINDER_SET_CONTEXT_MGR already set
[  364.163454][ T7828] binder: 7675:7828 ioctl 40046207 0 returned -16
[  364.174478][T26837] binder: undelivered TRANSACTION_COMPLETE
[  364.190124][ T7858] ceph: device name is missing path (no : separator in )
[  364.205452][T26837] binder: undelivered TRANSACTION_ERROR: 29189
15:42:17 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xfffffdfd, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:17 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x200000000000000}], 0x0}}}], 0x0, 0x0, 0x0})

[  364.219377][T26837] binder: release 7675:7835 transaction 1432 out, still active
[  364.250240][T26837] binder: unexpected work type, 4, not freed
15:42:17 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
r5 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000140)='SEG6\x00')
sendmsg$SEG6_CMD_DUMPHMAC(r3, &(0x7f0000000440)={&(0x7f0000000080), 0xc, &(0x7f0000000400)={&(0x7f00000003c0)={0x3c, r5, 0x110, 0x70bd29, 0x25dfdbfb, {}, [@SEG6_ATTR_SECRET={0x18, 0x4, [0x7, 0x7, 0x0, 0x6, 0x10000]}, @SEG6_ATTR_SECRET={0x10, 0x4, [0x5, 0xff, 0x0]}]}, 0x3c}, 0x1, 0x0, 0x0, 0x844}, 0x40)
ioctl$KVM_CREATE_PIT2(r3, 0x4040ae77, &(0x7f0000000000)={0xfffffffffffeffff})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
pread64(r2, &(0x7f00000002c0)=""/236, 0xec, 0x0)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
ioctl$SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE(r3, 0x80045530, &(0x7f0000000480)=""/97)

[  364.276515][T26837] binder: undelivered TRANSACTION_COMPLETE
[  364.304174][ T7883] binder: BINDER_SET_CONTEXT_MGR already set
[  364.322754][ T7883] binder: 7882:7883 ioctl 40046207 0 returned -16
[  364.329819][T26837] binder: send failed reply for transaction 1427 to 7589:7590
15:42:17 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
pipe(&(0x7f0000000000)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$BLKPBSZGET(r0, 0x127b, &(0x7f0000000080))

[  364.370580][T26837] binder: send failed reply for transaction 1428 to 7675:7736
[  364.404294][T26837] binder: undelivered transaction 1431, process died.
[  364.412118][ T8010] binder_alloc_mmap_handler: 6 callbacks suppressed
15:42:17 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x700, 0x0)

[  364.412136][ T8010] binder_alloc: binder_alloc_mmap_handler: 7968 20001000-20004000 already mapped failed -16
[  364.443143][ T7969] binder: BINDER_SET_CONTEXT_MGR already set
[  364.454977][ T7969] binder: 7968:7969 ioctl 40046207 0 returned -16
[  364.475168][T26837] binder: send failed reply for transaction 1432, target dead
15:42:17 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x1800000000000000}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:17 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x100000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  364.523481][T26837] binder: send failed reply for transaction 1436 to 7968:7969
[  364.531008][T26837] binder: undelivered transaction 1439, process died.
[  364.553173][T26837] binder: undelivered TRANSACTION_COMPLETE
[  364.582086][T26837] binder: undelivered TRANSACTION_COMPLETE
[  364.608549][T26837] binder: undelivered TRANSACTION_ERROR: 29189
[  364.635232][ T8151] binder: BINDER_SET_CONTEXT_MGR already set
[  364.662257][ T8151] binder: 8150:8151 ioctl 40046207 0 returned -16
[  364.666341][T26837] binder: undelivered TRANSACTION_COMPLETE
[  364.685069][ T8186] binder_alloc: binder_alloc_mmap_handler: 8150 20001000-20004000 already mapped failed -16
[  364.700598][T26837] binder: undelivered TRANSACTION_ERROR: 29189
[  364.709796][ T8151] binder: BINDER_SET_CONTEXT_MGR already set
[  364.729723][ T8151] binder: 8150:8151 ioctl 40046207 0 returned -16
15:42:17 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x80800, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO(r2, 0x402c5342, &(0x7f0000000000)={0x3ff, 0x80000000, 0x6, {}, 0x4, 0x4a})
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:17 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="65643a3a5d3a2f6cea4e6c62"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  364.730561][T26837] binder: undelivered TRANSACTION_COMPLETE
[  364.757734][T26837] binder: undelivered TRANSACTION_COMPLETE
[  364.768818][T26837] binder: undelivered TRANSACTION_ERROR: 29189
15:42:17 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0xfdfdffff00000000}], 0x0}}}], 0x0, 0x0, 0x0})

[  364.795204][T26837] binder: release 8150:8186 transaction 1446 out, still active
[  364.812543][ T8288] libceph: resolve 'ed' (ret=-3): failed
15:42:17 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = dup(r0)
getsockopt$IP_VS_SO_GET_DESTS(r2, 0x0, 0x484, &(0x7f00000002c0)=""/4096, &(0x7f0000000140)=0x1000)
r3 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x80000, 0x0)
ioctl$TIOCLINUX5(r3, 0x541c, &(0x7f0000000080)={0x5, 0x9, 0x2095f454, 0x3, 0x6})
r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

15:42:17 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xa00, 0x0)

[  364.851411][T26837] binder: unexpected work type, 4, not freed
[  364.872138][ T8288] libceph: parse_ips bad ip 'ed::]'
[  364.895518][T26837] binder: undelivered TRANSACTION_COMPLETE
15:42:17 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x200000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  364.901480][T26837] binder: release 8150:8186 transaction 1442 out, still active
[  364.962110][T26837] binder: unexpected work type, 4, not freed
[  364.988822][T26837] binder: send failed reply for transaction 1441 to 8132:8143
[  364.998918][ T8434] binder_alloc: binder_alloc_mmap_handler: 8358 20001000-20004000 already mapped failed -16
15:42:17 executing program 1:
r0 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x1, 0x2)
r1 = accept4$unix(r0, &(0x7f0000000080), &(0x7f0000000180)=0x6e, 0x80000)
getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000140)={0x0, 0x0, <r2=>0x0}, &(0x7f00000001c0)=0xc)
fstat(r1, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0, <r3=>0x0})
getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f00000002c0)={0x0, 0x0, <r4=>0x0}, &(0x7f0000000300)=0xc)
getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000380)={0x0, 0x0, <r5=>0x0}, &(0x7f00000003c0)=0xc)
lstat(&(0x7f0000000400)='./file0\x00', &(0x7f0000000440)={0x0, 0x0, 0x0, 0x0, 0x0, <r6=>0x0})
getgroups(0x5, &(0x7f00000004c0)=[r2, r3, r4, r5, r6])
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
ioctl$DRM_IOCTL_SET_MASTER(r0, 0x641e)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
getsockopt$inet_sctp6_SCTP_EVENTS(r0, 0x84, 0xb, &(0x7f0000000500), &(0x7f0000000540)=0xb)
mount(&(0x7f0000000580)=ANY=[@ANYBLOB="5b643a3a000003009e32bdfff12db05c3d6e96bd42bce200000000"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  365.012944][ T8420] binder: BINDER_SET_CONTEXT_MGR already set
[  365.028222][ T8420] binder: 8396:8420 ioctl 40046207 0 returned -16
[  365.035272][T26837] binder: send failed reply for transaction 1442, target dead
[  365.044545][ T8401] binder: BINDER_SET_CONTEXT_MGR already set
[  365.060276][T26837] binder: send failed reply for transaction 1446, target dead
[  365.060676][ T8401] binder: 8358:8401 ioctl 40046207 0 returned -16
[  365.074694][ T8420] binder_alloc_new_buf_locked: 3 callbacks suppressed
[  365.074705][ T8420] binder_alloc: 8358: binder_alloc_buf, no vma
[  365.119080][ T8420] binder: 8396:8420 transaction failed 29189/-3, size 0-0 line 3147
[  365.122883][ T8442] libceph: resolve 'd' (ret=-3): failed
[  365.129027][ T8462] binder_alloc: 8358: binder_alloc_buf, no vma
[  365.144449][ T8462] binder: 8358:8462 transaction failed 29189/-3, size 24-8 line 3147
[  365.153302][ T8442] libceph: parse_ips bad ip '[d:'
15:42:18 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x1f, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x4000000000000000, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8000000000000000, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x20100, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:18 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x1020, 0x0)

[  365.206279][T26837] binder: send failed reply for transaction 1450 to 8358:8401
15:42:18 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000140)='/dev/full\x00', 0x101000, 0x0)
r2 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vga_arbiter\x00', 0x4000, 0x0)
ioctl$KVM_CREATE_DEVICE(r1, 0xc00caee0, &(0x7f0000000080)={0x2, r2})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

15:42:18 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x2}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:18 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x300000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:18 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = dup2(0xffffffffffffff9c, 0xffffffffffffff9c)
ioctl$PERF_EVENT_IOC_REFRESH(r0, 0x2402, 0x8)

15:42:18 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2000, 0x0)

[  365.413577][ T8672] binder: BINDER_SET_CONTEXT_MGR already set
[  365.432593][ T8672] binder: 8667:8672 ioctl 40046207 0 returned -16
[  365.487752][ T8753] binder_alloc: binder_alloc_mmap_handler: 8667 20001000-20004000 already mapped failed -16
15:42:18 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2010, 0x0)

15:42:18 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_DEVICE(r1, 0xc00caee0, &(0x7f0000000000)={0x6, r2, 0x1})
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
r4 = getuid()
r5 = getgid()
fchownat(r2, &(0x7f0000000080)='./file0\x00', r4, r5, 0x1000)

[  365.557877][ T8672] binder: BINDER_SET_CONTEXT_MGR already set
[  365.582622][ T8672] binder: 8667:8672 ioctl 40046207 0 returned -16
[  365.589212][T26837] binder: release 8667:8753 transaction 1462 out, still active
15:42:18 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x400000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  365.614463][T26837] binder: unexpected work type, 4, not freed
15:42:18 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x18}], 0x0}}}], 0x0, 0x0, 0x0})

[  365.672060][ T8910] binder: BINDER_SET_CONTEXT_MGR already set
15:42:18 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="5b64ff0100002f6cac623a00"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x1, 0x0)
r0 = openat$vfio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vfio/vfio\x00', 0x40, 0x0)
r1 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00')
sendmsg$TIPC_CMD_GET_MAX_PORTS(r0, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x800000}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x1c, r1, 0x810, 0x70bd2a, 0x25dfdbff, {}, ["", "", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x800}, 0xc000)

[  365.739647][ T8910] binder: 8909:8910 ioctl 40046207 0 returned -16
[  365.739808][T26837] binder: send failed reply for transaction 1457 to 8674:8676
15:42:18 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2401, 0x0)

[  365.813666][T26837] binder: send failed reply for transaction 1458 to 8667:8753
[  365.832182][ T8935] ceph: device name is missing path (no : separator in [d�
)
[  365.842251][ T8934] binder_alloc: binder_alloc_mmap_handler: 8919 20001000-20004000 already mapped failed -16
[  365.843276][T26837] binder: send failed reply for transaction 1462, target dead
[  365.874039][ T8920] binder: BINDER_SET_CONTEXT_MGR already set
[  365.896535][ T8920] binder: 8919:8920 ioctl 40046207 0 returned -16
15:42:18 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x500000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:18 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x6cee], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:18 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3f00, 0x0)

[  365.978066][ T9079] binder_alloc: 8919: binder_alloc_buf, no vma
[  365.997005][ T9079] binder: 8919:9079 transaction failed 29189/-3, size 24-8 line 3147
15:42:19 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000000), &(0x7f0000000080)=0xc)
r3 = geteuid()
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', r3, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$EVIOCGABS2F(r2, 0x8018456f, &(0x7f00000002c0)=""/196)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

15:42:19 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2000, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f00000001c0)=ANY=[], &(0x7f0000000140)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2000, 0x0)
r0 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0xdd, 0x4100)
ioctl$BLKRRPART(r0, 0x125f, 0x0)
prctl$PR_CAP_AMBIENT(0x2f, 0x1, 0x20)
r1 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2\x00', 0x0, 0x0)
write$P9_RLERROR(r1, &(0x7f0000000080)=ANY=[@ANYBLOB="0e00000007010005002300000000"], 0xe)

15:42:19 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x1800}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:19 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4000, 0x0)

[  366.237877][ T9188] binder: BINDER_SET_CONTEXT_MGR already set
[  366.289560][ T9188] binder: 9169:9188 ioctl 40046207 0 returned -16
[  366.310314][ T9231] binder_alloc: binder_alloc_mmap_handler: 9169 20001000-20004000 already mapped failed -16
15:42:19 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x600000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  366.341470][ T9188] binder: BINDER_SET_CONTEXT_MGR already set
[  366.364409][   T12] binder: release 9138:9140 transaction 1472 out, still active
[  366.372951][ T9231] binder_alloc: 9138: binder_alloc_buf, no vma
[  366.381159][   T12] binder: send failed reply for transaction 1472, target dead
15:42:19 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
write$RDMA_USER_CM_CMD_CREATE_ID(r2, &(0x7f0000000140)={0x0, 0x18, 0xfa00, {0x1, &(0x7f0000000080)={<r4=>0xffffffffffffffff}, 0x13f}}, 0x20)
write$RDMA_USER_CM_CMD_RESOLVE_IP(r2, &(0x7f00000002c0)={0x3, 0x40, 0xfa00, {{0xa, 0x4e23, 0x5, @initdev={0xfe, 0x88, [], 0x0, 0x0}, 0x2a9}, {0xa, 0x4e20, 0x0, @dev={0xfe, 0x80, [], 0x1b}, 0x1}, r4, 0xfffffffffffffffd}}, 0x48)
keyctl$session_to_parent(0x12)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
getsockopt$inet_sctp_SCTP_FRAGMENT_INTERLEAVE(r2, 0x84, 0x12, &(0x7f0000000000), &(0x7f0000000040)=0x4)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:19 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x24008, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = syz_open_dev$adsp(&(0x7f0000000040)='/dev/adsp#\x00', 0x319, 0x4c0100)
ioctl$CAPI_NCCI_GETUNIT(r0, 0x80044327, &(0x7f0000000080)=0x9)
r1 = open(&(0x7f0000000000)='./file0\x00', 0x40, 0x4)
getsockopt$inet_sctp6_SCTP_GET_PEER_ADDRS(r1, 0x84, 0x6c, &(0x7f00000000c0)={<r2=>0x0}, &(0x7f00000001c0)=0x8)
getsockopt$inet_sctp_SCTP_LOCAL_AUTH_CHUNKS(r1, 0x84, 0x1b, &(0x7f0000000240)={r2, 0xe1, "f50690671c3d909bdea6e782400aa9f0fab197b415418dcedcaa163c0ac6aff35d260083505aea822c6dcfcdcf6f4a7ceac3a06b4db0c2e69d45a299980dacb6cf89618d78221e7c8e53f88df52fea18cbeeac72a74bd909388cb42028808c671cb5facb6920addd2445caecf95aa20f31197e9e04f779ac060ab8cc59b26741e77f518cffa06d3c50754598d7cdd29993b910d17784af3f36d0c1cec4850f6f0d75d5ca5734bc844f9141d3136158689a27d1fedd9b7eb17589f2f2e1ec243b10506a9a08e87a1ec8d0e37f0a79261b8edb0614fb28e5af63e05488ab251cec8b"}, &(0x7f0000000380)=0xe9)
mount(&(0x7f0000000140)=ANY=[@ANYBLOB="5b0600ad393a2f6c6c6203000dc8f52bbb9fcdde68b019ead02e733bd604350acd3f8ca4922607836b45f27daa54e00a9d30c52068d877300893a2245a8a1ebf6324ee7182346d5e3be38dbd0fcf"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  366.393794][ T9188] binder: 9169:9188 ioctl 40046207 0 returned -16
[  366.438545][ T9231] binder: 9169:9231 transaction failed 29189/-3, size 24-8 line 3147
15:42:19 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$EVIOCGABS3F(r2, 0x8018457f, &(0x7f00000003c0)=""/89)
r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hwrng\x00', 0x2, 0x0)
pread64(r0, &(0x7f00000002c0)=""/9, 0x9, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_GET_MSR_INDEX_LIST(r3, 0xc004ae02, &(0x7f0000000300)=ANY=[@ANYBLOB="02a57ce6bc7514ff870a5b70"])
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)
fsetxattr$security_smack_entry(r3, &(0x7f0000000000)='security.SMACK64IPIN\x00', &(0x7f0000000140)='/dev/hwrng\x00', 0xb, 0x3)

15:42:19 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x1000000}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:19 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7803, 0x0)

[  366.693681][ T9529] binder: BINDER_SET_CONTEXT_MGR already set
[  366.724244][ T9529] binder: 9527:9529 ioctl 40046207 0 returned -16
15:42:19 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vsock\x00', 0x44000, 0x0)
write$P9_RATTACH(r1, &(0x7f0000000040)={0x14, 0x69, 0x1, {0x4, 0x0, 0x1}}, 0x14)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:19 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
bpf$OBJ_GET_MAP(0x7, &(0x7f0000000180)={&(0x7f0000000140)='./file0\x00', 0x0, 0x18}, 0x10)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a)
getpeername(r0, &(0x7f0000000080)=@pppoe={0x18, 0x0, {0x0, @broadcast}}, &(0x7f00000001c0)=0x80)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  366.756253][ T9580] binder_alloc: binder_alloc_mmap_handler: 9527 20001000-20004000 already mapped failed -16
[  366.777156][ T9529] binder: BINDER_SET_CONTEXT_MGR already set
[  366.783970][ T9529] binder: 9527:9529 ioctl 40046207 0 returned -16
[  366.790919][   T17] binder: release 9527:9580 transaction 1480 out, still active
15:42:19 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x700000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  366.807776][   T17] binder: unexpected work type, 4, not freed
[  366.864343][   T17] binder: send failed reply for transaction 1480, target dead
15:42:19 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x2000000}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:19 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7a02, 0x0)

[  366.919618][   T17] binder_cleanup_transaction: 5 callbacks suppressed
[  366.919625][   T17] binder: undelivered transaction 1483, process died.
[  367.017605][ T9625] binder: BINDER_SET_CONTEXT_MGR already set
[  367.073310][ T9625] binder: 9624:9625 ioctl 40046207 0 returned -16
15:42:20 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7c03, 0x0)

15:42:20 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
prctl$PR_GET_KEEPCAPS(0x7)
sendmmsg$unix(r2, &(0x7f0000002680)=[{&(0x7f0000000400)=@abs={0x1, 0x0, 0x4e20}, 0x6e, &(0x7f0000000140)=[{&(0x7f0000000480)="c208cd25d6d684046360bd23f054433b0a8865e8c9c92fa4e8f23a32b699c5a2c00c7b82e72855a2733e41a2717ac86f4e30c1f038f925e41570d5a218227f3c0c864a8b8e0f9ebe23cad79cfa8a878ad785ee7171f576e77fbe18aadfc131ea2edf4741ede5761f04046912ef82b86b1dd5add5d4d914d26682f65dff45f3c56b9da60c12630df06bbcf32ac2a66a49ddeae3a72f14edf9ae2da94af2465de25e", 0xa1}, {&(0x7f0000000000)="7d764894ccdf0d7da26298e0", 0xc}, {&(0x7f0000000540)="3224c050cc5c7aac0fda4a81fa1cad397e324bf8f855aefce6d3b8dfbb463b49c6c227c7b18ba13090e91cf4bb70bdba39bc9a0db1aed95d7eda865d58638d80786ffa4a554c0972c4549b45cafa48d31272760a810ab0c17922c4644dcbf24f2124790fbd7dd95368c8fdf7c2d11307d3566364e86d11522d8bacfa074233add3933d35cb858aac66c39683b8f70ef3bf59350637c592098cd78ee4d2ae5016260bce53633f9c707546f3a3b63e14b7299b91ee117dbb1e9d28c47c6dda2c96030f6caec063a63e9bb2c81130c52e19d57d3083adc2ba5ed2467b5fa28007b0450b641c61c363cff83f03af9d50e397ce2bfd3a4a887af93728e5df363ecb5719eed07d9d4b396ed1dbce173e5dad6ff64622475b28cdd31074a4816d43f897d4352db1723cee142040e43eda656b915e9644bedda2ac3238b99e7ba18702054b124004d8aece93146c17cc04bf3ca2417ef58d9b9c5b0bc59d32a3d93f61bc59002ad5773071e44b7455b9fd46e12604c0c0d7e9b0ba71eaf65193e39568095d11545810750e40a627c6e76dd0df09130695808085a4412ff932740486308767ba5277f98d07ae4d2e062fa7da7c76edfd90d2b6c3fcc060ca892fad3ea3fc80f2ca36d603b7eed537ed663d7a56ae7e2c650f21fea448b0167a386061861f51cfa214981d985d76f4c6b76c29cb933f55a923402b9b00ca83c78e87223e5409c3a1e5b909a125d9f859cf0d15860d45ff65ef81a1b44c5d53943934130b8244d05bf4adde1e2ad255676aec0bea04a938431e1c2e3018d6c6aa2d1cc54812c073833e6c0a4cf6247e1681dafc960f82c15ad4d0b7bb4c357605f893b8406ec601cfc2ea15486be5101e2cbf8678dfefa4f9222a262c58b7045311ff3990a7e82c8872628ae04a5a07eb0d03a14fa2c6f81e0607e9d38c1b2c851f4bfa5157780e50ebcc8af86996ca3ffd6e4c5a43f9ddc5d481a94f80d0119353fa99299d9b660d4d4f901664885dc14c00c0467752e456b3a4e855e4798231f5a870272942bc613094abab0a0c469a33306e55457887d5dad92b27243504d99866bd40f19e0da80c62dc9c1147be267dcc9bda68ef9bb2b26275283e4e9d74c7a939ac8a1cb1ae255227e050fe2665c5fe632ce100745309b7683cf0714eb50aebf3bb300f0e55a4e27ffe2857da76487eff5d173dbeadcec6e704831f0a5e4dc0a554b0fd533ef81f0a258c27038e4356402837b5e9492aeab7e858df8a918b6fb71e4d141d556c5f193a4d989c422e766bcaee3e2dea66150fbd1903f8838c9506a69ab506fcf6b4d57de7f933f989de879d92d66e9ceb882896bd06c86d183cd009b34424b33d04f38e9af426cb9099dcbf2e5e5c3ef7fd0901015bd9f0a5e169caa388a73c6629b229fc0c40699fc5887a3b2fd73ce2b638edda043ebb9eba61f5bd00cafece67e1d974533c348073e2342def2edf5ecf5f9cfcdbd0edd4bc70975a5abad189b61a63fd763c03b24100e82bb682c0d024f7709066795ec52684827eb0a389ec274fc6b3e537052234b686fa85b93195d07d80c8ac1e68fd6abc5366dbdfa367d8680cdd7c78d96b6346b299b06342bf99d45782e0bc3cc25761c36c0810def70909e1bbae47f57d965abcc886573b719a8f31101343ca5ef3bf7d8a62c16c57716105e2981a7a5d882b15295b0fdbcdad7022b25efe2b8c421ff56394a5318601d0937ccd24f52d9fb5aff8583e47dd63314b459f4837cac92983a85be6cea181de545b0846e7f446300b909ba6ad4450fc3f4429915fb59a17e0f24980c2096daea284a5433c2aea14a4ef9ac59e8078b661a986e68f2f199d7fd093fc7b2feee6c4255a9d1ced9402e8ea3fb16e76710bffdd80a731ac2268292ae818b3557bcf027cd701ac8e337bc9fa06857d62174e74fcb8bfd06bdf74a824082dc694726c8ec786d29c3598442443028d9206dc00a75b7bf14083a50fd0cf4b5e8995e7792555a945813b258442c4e15c19956045fa53096452e070528accd6dbfc1df199b889ea898b485d50d6bb480f90333e75e524ecf6673a02dddc137c9a07fbd8d3fd49b6ec4182cd6a57aa4dded01c3de92973075eb064e5bd02c415adaaa6f69d7ee4e2e176ae359418c1d6464de3b03ff757548bd27cfaedcac097989d621acee43877221b3e3c37a9b661e56c4b31046ca84d135c78faf3c8e9134e02a373065156cf5177290bd9ccde2cd2f47938f0e820ff4b42fe565fa671917c1897289a070b1dea46f6359ca4590224fb698e69aa06bb929f67ef2938cac50554e544f0c3c738ed3f444e13a19753e78b96f40f696a9773a659a5309f7ffed317482040fe1d977fa381838e3b87510c2ead8c570a8ccf070ba8bfa802f3676a4840e426f9e08b0f868697f64c0f850870cd9b716164a85386f605b1b7b19bec77689b4b53619dc662ca80b5768d76bf59a1d02f56dd06f3af99e490d660bb2bd6d9251fa5d8bbfcdc47bea185881c511f453628ae9228ac406a6eb31f7b83429dbe45b6218f72cfe85ba80f1726d073664bd23c804336a3af5d5e319b3e5b926c6d1bc58039cd4240fc2ea9ec20275a2b65d5bf4cf19e071c41538f8127c5fb7375578d4cf067e63f892e62f042183fc0699467df319d7d9fe00e158feddac52e691730ee504af7bc8a7b9418d38f6485cc9ca59a4aaec71c59e2cee33594cf177a7cb934c407b4613b5b8d1ade306c498853201d7ec4c82bc5eaadb823a00461aa7d8ed3e28d7c963e2389a30879e5cd608f5822b29f5b7b65fb3f1b543c4b9de3392a38e83744881f3a2af4b93f2df2546842a6ce52dd4a07da5184c1ecff54411bf585ff23872ed51d2755b8bcd5c0361f2073ae3c0ddd4c99496d5c63196e11deefb1981bb3f59eba446f678b1375dc332adb0d85da09eb38852294c0d86f3e1ed086372f78267cc7b5dce81d2caeaa57453888987ea725b9306e01ced101220253a42fd215b552d56b51576d12df24b44fe4a07c39633a77f92287dbb5a2da37789f5653b8bcdb18b7cbf0d34610606d84d83c63a770b77d437d2c219108f9d3edfc699c25f02832aeac10088849506a64d9330f4ab2b89a02feac5a480472235b2c3b680bbf61628e06ba489c6eef1427958e742ce386675c53690dcdca115152205a9fdfa0c9799cd66f3cc8e191f2a394d05bde9e2e4fdaa9f38d5676139566603d4df55fcd9516d9d6ce1bade198268155072e2fed7d201bbd220516a55d1800febdc3947443e658f365d4e60a833f545aeca1aafb4f71f60a54027c1127878c78d3e8a48aa1af1299531a793f6e74ad8c2ade110a0d9e169813f305d4cafc1ef38575c566c73fb98a52ed17384bb0e5ccdc137f2305f4e7d49a0bd024dad6de577065950c4a8e1ff3fb41007517b8bbd5fa03161a0db3f6278340b42b25eebda67ea4a39e606a64a5874df7ddb920de9a71b86743b7b4d5720b7bfea0ddb655411a4fd3e11b8a4416eb1bb198d9028cc9b807eccd76f27ce07f7605861f0377e08631b65f1b8030e3cd939a66b7eb9dce22bb3882975dd26a3f53435e4b27679c85bd19f9bc6ab9da5fd7dfca33b2e5240679bb497b4e3979db2fc52a706c080ed19e6d5377202994a2ef66a5fe80ca9f5a39298fb35f3a953f02b72034bb278b9f74c1e525442b36384656e553ce56de561def7fdb2671fe99a85b9534f474d11458b42e326256d26dd42925f43dab5b0162c25faf359c1da3c1fff528fd490180d1b13968755c72e80fe7044fb5e364317951ce916d22e0cb6a801f459defeb4d2080ded0e99b135331ea0b715d76562426ca5dcfcf6b32778970fa305d4fb1af260b3caf090c4384ea9fb3efc157d17b7d8a4ada3e121fcc8df6e8117959e08275e3048542e350278fd6730af83fdb87f6e834a399ac5275d58c6d54b35539f413e46b30436ddaf388a3adc3255a77e63876b4fcbb161323644903255fee4d30c5da1ed882088215491eda5205fa7d3bb525d4b0ca8937616d00b7f81fda6a7efa02a22c8acf775d2194aac3c98c83693da211bfcf37b88dae5aeb4cb30ca3d4b5eb8595b4fd3f1a468af3bbb64a7cff4446314e4d1f78d88379873ef53b681e95d70545082801f18acb82357c5736a32acc01ab5f80b07465200e8cdc2eb74cd503f27ea40676fa45a9ef93f32a1aca5e2b8d7de681af075906b4088f51fccbe98d919d885abe208ec1bbab162a2bc52f4a103196dda64e550f7a89ce19c736108ad4d9fa310e61cc030da1cd4f53e3988ff0b77c696690dbbbfb61c89ebe7f2b94499e073e34a06cb2458e334dc6f15b579c1f06b67956f1298164186675c7ba1a913f41d2022ed4fc2206b229a7551d935110546288f91bcf3dddcae580aef2144055e1ad57cafbd4b7a295edfd26b77d9900fff50ecaa17fdfd12b65124183375f7b78a9978f6c788e9e31d8121d8fff67d3cf2ed86edf70fa5fc3c51c1a6c98bd5277e1c2683e297807099496a247258b65809d6803a9aa003d5d08f6aa640ff245d695b8f7cb4a74dde2ba85d53c55df19f0a39f1f55dadee408c43e737e8d5df0d3b9ef83317efaf1b3ea525f8e483dc739a5fe801f84e9b8f517abfd7668b3868e08c6b6355a5f2f6c324a4187df1b41fcdafc78e1eb48ab90b89c73637760da5390bc987ae72d59d81ec2e4498963190a39b5bd1067e3a3dde5fdecfc9807a52b4a3a64f6a51943bce9e1f35105f4cf51609e9024bd0d9c6093ac1c38221893f4a48a18d08ed9351ca56d779726b7da0233222d5769296bf7cee2100a22aedd6ed9e8976e4e42042ca34c4ab738331a928cccfbd9709eee8c7f09d8f8add7e9dc5144228dbac3ff5a4000d140414888dcae433068f62297e2731391a4ea511535f7fb8997536ec9cae172334d75cfc17d8f226651b79628e9868f3bc0c1ea94162fbde5a94996942e84c383b9afdbab104c9272fdb8bcef2d1c09e836938e45ef3a97884ca1b966102bbbd5ca771412063f7d2bd744e63b5e247f2045795dc04873d44222d17f3bd5aa82fb9ff1f4475c0297169f2ef0bcaad4eaac71db26ec73c959437fcc12facd09aa2c370dca9e83d2999073702ee75c831ff27d26deef015fc26b93325fdaebb37745ac29da94fc5b3466d4cbefa2d3db25980be1c5be1836d48fe09cf75cb9bdc03e67a641b593e730dac0efb35b6ba16b0764497774ec94bba1f8fc77511734d4276b49be2b4b644a5ff1cb988de5dbeff2e581962a3633793f042098b785df99ca0e3eeb510b43c29c087725992fdc22f56aacf1476b151e8fdfe055c701fba31f3a2894bac2ee9e9d56a4a95a5a4a9f301b7702538dd3b5d19c75bfc684c3be500dc2f90ee3583e41324cde176e06d61fe5bcbdeba8be3648754b22c9f6e3f9bb7524924d63e8922a1c01b58800141d0189fce2c8004b85c8949a20a3a7fd3378f5aea25f92714a78c76985081278062195eb9358a74988cfead2a09b1aa6c5a7d19968dbc9fdd8a357dbddef938827dbbc0c032d24b9f3af4d0125c8c096bf6f216ffacff8cef4e5f6c440d542b6aabdd76f4c6d00ce4c267fd9326f454c94bd0d5919c9d58a24e05f0698d7e4c3500d4983dcb2d0d67d1aedcb00b433535287199d5b995e5960d0a82d8b8f8667f0a3edbc1b592af3db31eb4b7c513d7c27da2d9ec783d43811f8007dcee2460bd39bcc1211700b06102c5719a4049b5a1be0716400de02d0031dc7be0da2399855633b5fd82e05dee1d695a016a9f8e03a2395b57e3a7acb25", 0x1000}, {&(0x7f0000000080)="740b4f851eba7c60b9a87d21", 0xc}, {&(0x7f0000001540)="b396e30dc397d7b165a8f31493be8381518a4ec0b0e56a0c83f4929a29f9961981cf9633cd4ed198aafd9a9824755f14d10efebf99c60a212f59b04e9d3ffa75d617b29a1684c6ccb0535f30bccf93de3dbed09cab42314a485b6e99511173b109be0edeece3e1cba20dcf3f995ebf97aec18ef3", 0x74}, {&(0x7f00000015c0)="e3eb481a2897f6b812bee1838a5b09fc362418d90d053c51e6dd6dd48f58eb5e68de5b73d032e8406ca08a444d47a6584a2f72af415bce9c219ea7e7f2a8848c24a512b3178fda09f477cee5171b323ee58b3e5dd5566502f7efa689df8b4d0161088e36117b0f073e5f769282d26363a126b0e372c87bea4dba3a46851bd6a5d086fcea4f995b056855d37607f2a459e2111a7b971cbe24e11d0df02eadf4b24fb3b835c6ca645af841170e127e01f22c0692d7ead96b2ce3f8983e9d09ed348e5695a659cf6debab369a04e2b9553b2eb37dbd98e1c85cfc2a5f17c6b8170dc3af7854abb585642dfee165cdd02437e0eca7eddfe3cad9dd3711d187e50e79cc5ffbb419c86849923749db35b80c10ab4cc71118013b4d93efae740bb236c50939513d9301b48a530ca52e6b4fc70dce63ae5441c417df04ad75ccfbf7047dc7969c727d8d814d76540eec33876591e53d6ee73e3c6f39108c4eb3a967287cc2c23e0e33527153cef8a4dadc3212679ebca1ec8f724bb835caeffcfa72765020bc80dbd74ef96636c90c77c2adf604439709d12261915c8236381a81da8e716bf3812682a848163d8521a84b4a8d65174f91ba06c9e72b1906e351a767e13c52043598b6cbaf00ccfaa1911fd72d82e90c9010727f586df71f41e9890173d29ce75cfade661e3c0f920e6cdb5e90c8726ba28de7693906b6b74da115b23a31bbd57f4217d97ae45baccd449fd6b6a723caf993d88e277c1ba0360975fbc22d3f04fc15af58fcb024aba2498a8f7803765d9981fa639492c811dc42daae81125629d248a65338c9e8c3bb53b9ded9cf20d466dc0bdc4d18fb37e301517299487d2e57977e34f481f8f10fd90eb2645ea0db9b4c136fa457303ccd3432c8917b46fa30721f78b3b858c00f3d43a0cac17f926cc236a5ea1b05ddb0ff1f46391aa9564b2160fc6a85d3511c4f36b31973fda951577ce8aa4006e40e0133984bee6ea585a33616d1268b8f9865230bca826302e8a76032b6fcbb074027acf57dfd08e6f6e0aacd84c1c2cb9648dc2e5a56e3b663f4179d8bff591d823c19cf11df7b2ba168574bc43248cec65f2016a567374dac691b82065edcf4eb6a4e8c0a44fdb97152624679d3b2b5a518c2cb37f1e1bdc295f678b4f8da83c36901a19c3cb2efb144377fc7c291a976a912ffe561fffe17b22c702d1500fa954238c758a62e1b887fa57426e050451318b95d82449444406f98ba828871a7651a8b45786e98f1192e4dc8f9f763d56a3884fad65fdff44e72373657b765cd8c0b34481e92571c05ea4fb7f3616f13c9e48685d71e57173d895dcf367a112204c6b75f2fdc353bb884aaed3b7838abbeeb344600eaab1092151581cf06f17a8b92d89a5ceb3fe3ddbff55a99ecc6c77e02d4a2fac19512b719423b2907f7fae617236a9fc64a65dde69c60b4c8847bc5cd86a735282e0de6a8323f76dd382b1f6dc70153f76b6ce56335cb83d2587e850a427b0ff4518ec9e3d1bab371f3f49f2e1a369dd4d93db8a1fc14b4c48ae8f09ec7916a0fa7557c98ae70867e79df4b8c5c4d30a1367e402e8ba65589c2ce3e3418ef6e7b7128ae610ecdf04181864e89147b8ac2499159f0c7946aa63314f0f0aa0449eecb32731392e25bc209401845e6050d2c88b13df4c56fff407b212146e90e173e66bef910c69dd0ef9852151b571fce554caeafbcbe52512f6c21fc13791bbed0b8d187ccf44f456bb506e0f1b4c5c146e4db82b18dc83927c600b7cf33a25bdc7eaca51464e0759eca77c69e490dbca317e0331815acc1fd58144a1cca3ddd9c709bbd59ce47a0baad937df966d196a3cdb3b01cbf0366016cd09143799284b6f953144695ebc83eda98a631ffbf7917db486f73b1557b753c893c7c5d758c818b3c32cf3f87140ee10c250a6ed870e63a49bdd4e373a3ce4c3f3e6ba301b468efe3e75cb19104327dad388dc123336c34e27a11a787a0a3f7269f11554b6d6b7f0b2750687c8d452af77ef1924740fcde7c76ab9259a4ed6b80ea2a44cc670c2aa0636965f385003a1063590e42b5465aef3d9e85ed7d2034ac6ace78da6363998d1e477741dac3d6d13c8859f18a56c1d100d594ee47a941203e64ec8b24a03b334eb9e8e5809ff5530bec185235b3f88396f5cc5741e4b2945c4c24212c13bb546a90e74b27d3205dda017bfa1a13d8281f67470ac0d9666c7fb13f66bc41b360c9c69e8e0a577cf86369ddd57dc499d7130aa02ed78e05599b7bd3f9800e299361b1afdb5c737022a060e6fd3cd6e76823ce2ff3509889a7daabb1a4019ff321f2ef145a51dbfa6cad066df6f920d5d4471c2734645db002b77a08d01785fafec64ccb5af893979755b948f31f46a937ad24641c40172e1a954583fc56e8515b15251c19d81eccb60c4678756e9e8a6bceef10ba7c47ce79457c487dbd266e08514c6b762fffa783367f4a039dadf5f27de6dce1e70ed7c6c2e68da2e0558835e492b7f0b050e95965256af9b7ad5278281328e725fcc0169af5fb30919b71f2945d939c47da37c8afb36cf27679c26a1129e2397a93f41c70541d39cad2e45ff413b68c7675df465e337601ada01d3611568fd7b6d15834c8970c38b1fb703fec77eb15cda106ccf7e488909d98ef5dab775e71d8b588ba3e6b9dc499ac72a4c2f116d0aefd2c06a0407d4748ce53a43db1f37a5cbeac8baf2698f2acf274ea1bdc08ef733ff55734b73a81e8f3ce697177a247d0351dd413b22fd474aa83dc07ecac782a22245325041ef4e291320f2ff999bfe7255d0b22af482dde5d8271c8808114ecf9f4060607a07ce9f109e919f9d30b19272546958bcbb76f1cb91d42e5626a27120555b8542dcd9ebed1ffe177ec5cdd1bd0d384aaf2d205e24db5e28d07ade8600d2470a937b076eb8baf90194a11bd7b86a296288dd0550f06e1b2886abdfc516530a4ca45a7908ca3e4348902fd36b7951dab4abe9aa1e8d36beff93b1077ac256421e0e941ebaa7f0634b8cf2cfa7f3562181b06b5a459ed5aed92c38544f81363bcba66b7d772d5910b09fbd6a9146aabb7e0a73989fc2f1c6bdb40fdd2d9b60ff58cfc15b646ca87f4bb0ae07e799890d208b1bb8f1286301a2152ffbb4157bd34faaf6bab5c13a6ab37e0fc11b4c9feffd6a91f93d6b224ff4453ea9be2910b118fa5414eb432c98eefb5e5719dfcac810fd8b802e4efd035e554cc9fb1be7a00dd7eeafe19546641a702a381552d9b9b3b5183b6ef19e725fd90c47aaad2dc1afd206071904e1ca4f24883f5b6da52a1b926f5d7e5f4dcfbfc90791065ffbc21e12c2a7d4a0283c78f6a52ccd4172817316c26fc19c28876ec7ab24e1f11fa4315447648f461fb7f18e1600c37c3bf591c107bdd5d9c1363c85516073147e515850e7d2e67c4fe83d0cc3e19391584b7d9f4318abcd1c9a5c296714b885ac8df2ee154daa6324072fbb3f7ce2a0d7fa702c5ad112785b6ffe0d1d78284458f755a984f537f6f31a779922bb443fc9629d1be49171e00d598c1078efa3dbb6a3f7d1ef1eee77befd6f2beb0a8476d4132a9825234c29e4da597df282467f43064bb90c0abd04e6147d72c2401bc85d22c30b2f29581f55c53ee202dc5a5a952a0ba303415e8ff49e0bebd78ead8b5f58c622afebdf302169c2507357deabde15a413610e6e1ce0ed5cf07a9a035ac9447ec999b47366845692af99164d12ad07d44ff0ae4ce18a300624958ce1ef396a535e84a5995a9438986c6cac11a5c346891cd8667690d2d2daed913928ed3de0da355648c34487687ed8ec98f7f69ba4efc8084be2ea10653a8c0cc29e1a605139dc9833dad12223aae0b2aa3f38e2e5f9143b158902eba6fcf0dcc57b8e65eab7c103da840d95dc46afed724c7a6b8518f8996bbecb00cdf9397b1a265e9734ae6b7a7ed1d03e6cb16f091895f5763cd2ebf3999ff4a9308b0775da1bdf8c738167620d3310069839ad6e766597ab9ccdc9b5e4fa927a09333eb32e18fa4a92849dac40bc70dfe8d33a9585a7be3c78532a378b2efbc9106520b79d37a963ff032f939f5d6b103f3299ba75a5fb0ac72c6d797b59c9da9ec6bce7be7916dc60bcec8b5fafeb53ea19027c302a1fb0d93c59559daa7b24e35d10abc809b6cfdee8f86a56c5b450829bd28e978924af5c039cdd3ae8fb81006f1405a9da7a780ecba237d9e80b617f3ce5a0eec3adcea1b581411779ea9913b1c0f186267b3e84b6f0c210ff4a49282c5e614fd9f9dfbe3baf93ea46c3e5c2e90a91810394b5d9145c114528db655ce7505e33afd2dc8a12b3b924d205e76e17e0ebebc96defe6593dcd0601eb64a73da88f9e1e74c6e22d165ca9f4362a8e215c68b2b62efa48b8a25b37c4f7ebf629bc1e56f9df9e327463ac9ab86b7e3f04ce4519fc8bc16710785d83b513c6228e57a30e0c8abfbfa80f3a4094338f9db204e9d64e031dddd24b86d18abf8f0970d98942191e30d803c03dd9ef94895fc5e09119cb8968870bdc4534cdcbe4e743c0788a63e7cc73f24a06d863a691bd83167c91e242692e159d5150a16d4213b0083a42cc87724c5ebc5084bb724b77a3c26282ce0d1811f04a26da720e2321802e6d032bf9b1c7a18f6738a1c22d1405bd878a2d17eab9f381e8573ede3c64abd5938977af39a5a12ca7f42f3930afd8e422fc4e10340666aae78405f439924eda9b1b24bc53e8fa94535608fd9251a80a6e0b2c845f8ea320e0d0a79a12613e0ecea53d11b41331521e1a02c5c5d53f94c644a581043c9dfee28e7af6d82fae0dd6db1f62b8a4530401ed786e44513a0431cedd98fe31171a1c6d50aacbb93b108b5f7de9afeb978830816404c8b24823f7923c53b0c575b000ea5abf7d5c9a5b6648d80801bba14367743096dc4a07fb5db033d7d6df9395d9544373e5c4574d8c228cfd19959b8f08bb1a7c0c08c097b6b359a8e83f38da1bf0601f5c547a10028c928ee6447b55d7d15596f180423be676c9fbc89ac01bd63ced0244b8f6845500aedc73ee46c0ccd142bfee9b88a17f7df3ffbdf547d8f6800f90b86d8589d2f6aa0cb1f997a7c2517e9f17eb633050b18653310ae9cca542a04215cea0094a47f4fc428b2e370b27a49d5d0b7bcf9fd239f2fad86f529746e57822ad359dd87617821b26f05713b4945264f01089f9a0490f5911e2100a13d8dd0581f9b9a24033a47b1b5763b410a38b28ed15a3d3317e6832589df2bff579500ae27e668af171da863539224ac955c8ee822adf7552c4996f1233fec72c8806c96a91bb096a3ae3878eeecdd67d87d30197d94113da25aacaebd11260836a99858cd249e9dfd19a80fbff66b3fb94e96f12351b39ce160b05e220b09aa5ad3a8e3540cab64a5e866fcad4c6e449d38ecfc7df63164753180a897ba8116e4e84c39ea3b2f44bf5764c0cb1985da1f24b086c3fe81c90f3b22eb233be82346fa1c09809c0437cab482ae29a50f55704cd661b8c2793776fefa6361d169e3a05d0f208d10f59177173989bf51746b68016180b91689a16865b9871d1d7db19b8cdf4b3caaba52e5c9ce843b6357613016b2ead8c67b4ced493331e4c38446baac5ec66fbe4490043328b63baac0cc2cb3f254a8734ab3082761724241ba0b5c02df89c9ff1ba94c58d4db21645dc4f8acc57f36ec389e6f339249ea8fb3b3728538c4cb8549081c3c596527411a3c498235bcdb0d9ec2623825ff6ac00510eab1246097dab5401c617c6b7359834cb4c8", 0x1000}, {&(0x7f00000025c0)="0ae7afa123555f350be2b37bdb94317056b85a3347cad961884533bda4a9d94365a765de4eda574e6cd98cdc14eaf827c3274bf2fea069a180b9fe7db512202c3f0470d7873d2eafe608de25959865c9fd1383243d3ddfd06d9e7e0e9e47c7aba508d4", 0x63}], 0x7, &(0x7f0000002640)}], 0x1, 0x20000000)
ioctl$TCGETA(r0, 0x5405, &(0x7f0000002640))
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
setsockopt$inet6_group_source_req(r2, 0x29, 0x0, &(0x7f00000002c0)={0x7, {{0xa, 0x4e24, 0x7, @loopback, 0x5}}, {{0xa, 0x4e24, 0x10001, @local, 0x5}}}, 0x104)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  367.131985][ T9672] binder_alloc: binder_alloc_mmap_handler: 9624 20001000-20004000 already mapped failed -16
15:42:20 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xa00000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:20 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x400000500fff, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
write$P9_RLOCK(r2, &(0x7f0000000000)={0x8, 0x35, 0x1, 0x1}, 0x8)

[  367.207667][   T17] binder: undelivered transaction 1492, process died.
[  367.229884][ T9672] binder_alloc: 9624: binder_alloc_buf, no vma
15:42:20 executing program 1:
mkdir(&(0x7f0000000000)='./file0\x00', 0x8)
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  367.279034][ T9625] binder_alloc: 9624: binder_alloc_buf, no vma
15:42:20 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xb803, 0x0)

[  367.332812][ T9672] binder: 9624:9672 transaction failed 29189/-3, size 24-8 line 3147
15:42:20 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x18000000}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:20 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x2000000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:20 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xca00, 0x0)

[  367.660470][ T9935] binder: BINDER_SET_CONTEXT_MGR already set
[  367.671825][ T9939] binder_alloc: binder_alloc_mmap_handler: 9932 20001000-20004000 already mapped failed -16
15:42:20 executing program 5:
r0 = syz_open_dev$adsp(&(0x7f0000000000)='/dev/adsp#\x00', 0x75, 0x0)
lstat(&(0x7f0000000140)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, <r1=>0x0})
r2 = getgid()
fchownat(r0, &(0x7f0000000080)='./file0\x00', r1, r2, 0x1000)
r3 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
setxattr$trusted_overlay_upper(&(0x7f0000000340)='./file0\x00', &(0x7f0000000380)='trusted.overlay.upper\x00', &(0x7f0000000540)=ANY=[@ANYBLOB="00fbed004d1f3942eaf3fd21069b51c904e51bd011b6e547c025d0bdeb25130a1e09b861ef9f62e244534071d14a305ca244bcb6df0b9c79918f6c9a6d799a460e8f30e28ab3529fab5fcb4bcc215e426513a08b5dda9b444b1373bb30acf512c582935bb4dff588eb87917bdc56fd77fee103a47e865ddb6009aba35cc275aa2b13d22598662dd8a42a593d84eb7b1e2ba5161291155cfb6289b5a4e6d49a528482675bd83103daeac72c3432c2a78d2ad99a14fa4b395a20562e641fa78eeabd898fb7968b31837a81873ac70222305b27cd3cb32b6064a4e0f99614d3b77f38165c000000000000000000008730842e97dd37276311e5b0f7edf566189030cd8f8b4bbb7fe908c62556548236b104b4ddab961cff850ce8c90b446c8b6a49eb82c86399bd9417569d8c051f6ce8ff1b7c25c49ed8d0edf7c4dd407edfba4c9bc89d4c0263462a387c3a5e8e74040924c3f892a0952f9db210beef2385d3ffc6e5406971c1970f8baf970d441dc905c4dafe1212d8859da365dda486c8"], 0xed, 0x1)
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)

[  367.743380][ T9935] binder: 9934:9935 ioctl 40046207 0 returned -16
15:42:20 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = syz_open_dev$cec(&(0x7f0000000380)='/dev/cec#\x00', 0x1, 0x2)
ioctl$VIDIOC_REQBUFS(r1, 0xc0145608, &(0x7f0000000080)={0x100000001, 0x9, 0x2})
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r3 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x2000, 0x0)
setsockopt$RXRPC_SECURITY_KEYRING(r1, 0x110, 0x2, &(0x7f0000000140)='/dev/cec#\x00', 0xa)
ioctl$LOOP_SET_STATUS(r3, 0x4c02, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x2, 0x7, 0x18, 0xc, "7dfe6a2958585fe958a47619a8162b2ec5e43c207905e83eb62e2f5973d6fb73c28d7f6d630e7a9d56fa27d51ed9a0a10a11d1b4b0383aa96367752b9b920fcd", "cd30ab42b0adcc0725a855921fa5c79da8033d0290c2acb8f4722cc132bf2913", [0xffffffffffffff81, 0x10001]})
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

[  367.792593][ T9936] binder: BINDER_SET_CONTEXT_MGR already set
[  367.800484][ T9936] binder: 9932:9936 ioctl 40046207 0 returned -16
[  367.849872][ T7807] binder: release 9932:9936 transaction 1499 out, still active
[  367.878872][ T7807] binder: unexpected work type, 4, not freed
15:42:20 executing program 1:
r0 = socket(0x19, 0x4, 0x10001)
preadv(r0, &(0x7f00000001c0)=[{&(0x7f0000000080)=""/194, 0xc2}, {&(0x7f0000000180)=""/63, 0x3f}, {&(0x7f0000000240)=""/114, 0x72}, {&(0x7f0000000480)=""/222, 0xde}], 0x4, 0x0)
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
r1 = creat(&(0x7f0000000000)='./file0\x00', 0xa)
ioctl$TIOCLINUX4(r1, 0x541c, &(0x7f0000000040))
ioctl$VIDIOC_SUBDEV_G_FRAME_INTERVAL(r1, 0xc0305615, &(0x7f00000002c0)={0x0, {0x5, 0x5}})
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000580)=ANY=[@ANYBLOB="5b01000000000000000000006cf1ac31358a407fa6e716ca80f4b96f69e8818422c2d127ff715f48532735523a4db551eddd380e5ec822679067e5ef07ee58865cc54fab9a86de74716a060024f31467639f37ace55c714c6bd0f2799247a6a4a7eedcf8bba1b86357e2be554ff2f99a64718799e2e0f4d82850f255aa91af3cbef2740c5fa9db71892a457a9123dde6afa70b6fbb8d69c808f4a18a1d4707c6563fbfb10387065ff41d56184f4533105d96359607f088aadff0be"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000380)='\xc0K\xbd\x90I\xac\xe4\x88[\x83\x9c\xe4\xf6\x10\x93\x8c)\xf0\xb0K7\xaeS!\x98\x9bT\x06i\xb7\x80B\xd9z\xdd\xef-U)2o\x98t/j\x14,\x1b4\x18\xa5\xf9\xd8\xa2\xa6\xd4\x82^\xb0\xc7\xa2\x99 \xbe0\xf7\xf4\xf9@2uh\xe0I\xd3/\xa3\xe1\x91\xb3\x8av\xfc\xfd\xff\x91HG\xc8\x1e\x0exK\x96\x0e\xb0\xfe\x7f\xe5\xf8+\x9d,i\xe8\x19\x9f\xd8,\xa7\x13L\x15\x03%\x135w\xe8F\xea\x0ft\xac\x80Q\f\x83Q\xe8\x1e\x9d\x8c\xf2\x19y\x01\x84\x85\xd8\x16\xeeY\x9e\xd4\x18\x8a\xd8\xb9\xb2\xbf!\x01\r\x97gm\xd7-\x0e45\x92HV\xe2\f\xf4\xfd\x1a6tK\xd30\xb4\x86\x80\x87\x8b>\x01~\xf4w\x0f\x12\xfd\xc65\xff\x82*s\x85\x9f`8\xbf\xaar\xa8\xa8\xbf\x1e\xdf\xc4\x8bdAfM9-\xed\x8d\x8e\xf5bWcu\xeb', 0x0, 0x0)

[  367.901161][ T7807] binder: send failed reply for transaction 1499, target dead
[  367.934559][ T7807] binder: undelivered transaction 1502, process died.
15:42:20 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xd003, 0x0)

15:42:20 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0xfdfdffff}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:21 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4800000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:21 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xea03, 0x0)

15:42:21 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  368.217788][T10252] binder_alloc: binder_alloc_mmap_handler: 10207 20001000-20004000 already mapped failed -16
[  368.251696][T10248] binder: BINDER_SET_CONTEXT_MGR already set
15:42:21 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff5, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000240)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000180)='/proc/self/net/pfkey\x00', 0x10000, 0x0)
ioctl$KDGKBTYPE(r0, 0x4b33, &(0x7f00000001c0))
ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f0000000200)={<r1=>0x0, 0x0, r0})
ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(r0, 0xc00c642d, &(0x7f0000000280)={r1, 0x80000, r0})
r2 = openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20ncci\x00', 0x60102, 0x0)
getsockname$unix(r2, &(0x7f0000000080)=@abs, &(0x7f0000000140)=0x6e)
ioctl$SCSI_IOCTL_DOORLOCK(r2, 0x5380)

15:42:21 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$VIDIOC_G_DV_TIMINGS(r2, 0xc0845658, &(0x7f00000002c0)={0x0, @reserved})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
openat$vnet(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vhost-net\x00', 0x2, 0x0)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
getsockopt$inet_udp_int(r2, 0x11, 0x65, &(0x7f0000000040), &(0x7f0000000080)=0x4)

[  368.289860][T10248] binder: 10237:10248 ioctl 40046207 0 returned -16
[  368.289912][T10221] binder: BINDER_SET_CONTEXT_MGR already set
15:42:21 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xedc0, 0x0)

[  368.374209][   T12] binder: release 10207:10221 transaction 1504 out, still active
[  368.383618][T10252] binder_alloc: 10207: binder_alloc_buf, no vma
[  368.398206][   T12] binder: unexpected work type, 4, not freed
[  368.414246][   T12] binder: send failed reply for transaction 1504, target dead
15:42:21 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x4c00000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  368.432767][T10221] binder: 10207:10221 ioctl 40046207 0 returned -16
[  368.451177][   T12] binder: undelivered transaction 1507, process died.
[  368.466804][T10252] binder_transaction: 1 callbacks suppressed
[  368.466823][T10252] binder: 10207:10252 transaction failed 29189/-3, size 24-0 line 3147
15:42:21 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf000, 0x0)

15:42:21 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0xfffffdfd}], 0x0}}}], 0x0, 0x0, 0x0})

[  368.582635][   T12] binder_release_work: 18 callbacks suppressed
[  368.582643][   T12] binder: undelivered TRANSACTION_ERROR: 29189
15:42:21 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffffff, 0x89e2, &(0x7f0000000000)={<r1=>r0})
getsockopt$inet_sctp6_SCTP_RECVNXTINFO(r1, 0x84, 0x21, &(0x7f0000000080), &(0x7f00000000c0)=0x4)

15:42:21 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KDGETLED(r2, 0x4b31, &(0x7f0000000000))
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
getsockopt$inet_sctp_SCTP_ADAPTATION_LAYER(r2, 0x84, 0x7, &(0x7f0000000080), &(0x7f0000000140)=0x4)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  368.729603][T10549] binder: BINDER_SET_CONTEXT_MGR already set
15:42:21 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf603, 0x0)

[  368.770638][T10549] binder: 10532:10549 ioctl 40046207 0 returned -16
[  368.833805][T10549] binder: BINDER_SET_CONTEXT_MGR already set
[  368.867446][T10549] binder: 10532:10549 ioctl 40046207 0 returned -16
15:42:21 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6000000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  368.883305][ T7756] binder_send_failed_reply: 7 callbacks suppressed
[  368.883315][ T7756] binder: send failed reply for transaction 1510 to 10469:10482
[  368.904971][T10602] binder: 10532:10602 transaction failed 29189/-22, size 24-8 line 2994
[  368.918278][ T7756] binder: send failed reply for transaction 1511 to 10532:10602
15:42:21 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x20000, 0x0)

[  368.950785][ T7756] binder: undelivered transaction 1514, process died.
15:42:21 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x100000000000000}], 0x0}}}], 0x0, 0x0, 0x0})

[  369.004339][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
[  369.037996][ T7756] binder_release_work: 27 callbacks suppressed
[  369.038030][ T7756] binder: undelivered TRANSACTION_COMPLETE
[  369.080416][ T7756] binder: undelivered TRANSACTION_COMPLETE
[  369.105800][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
[  369.120447][T10793] binder: BINDER_SET_CONTEXT_MGR already set
15:42:22 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x989680, 0x0)

[  369.172793][T10793] binder: 10792:10793 ioctl 40046207 0 returned -16
[  369.183263][ T7756] binder: undelivered TRANSACTION_COMPLETE
[  369.189221][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
15:42:22 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x98, 0x0)
ioctl$VT_GETMODE(r2, 0x5601, &(0x7f0000000040))
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:22 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
getsockopt$ARPT_SO_GET_REVISION_TARGET(r2, 0x0, 0x63, &(0x7f0000000400)={'ipvs\x00'}, &(0x7f0000000440)=0x1e)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r2, 0x84, 0x1a, &(0x7f00000002c0)={<r4=>0x0, 0x47, "b4a4665baf2e4cc9a477f7c4f0b99635fab9bf07ee232a6a989537b290308b01a59bc64cd1411f7398c285e82b0dd5e88825a29f4a1691b8b0f7f2fd1d8143fb1be65f6eea83cc"}, &(0x7f0000000000)=0x4f)
getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r2, 0x84, 0x6, &(0x7f0000000340)={<r5=>r4, @in6={{0xa, 0x4e23, 0xd83c, @mcast2, 0xfffffffffffffff8}}}, &(0x7f0000000080)=0x84)
getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r2, 0x84, 0xa, &(0x7f0000000740)={0x1f, 0x3, 0x8200, 0x4d3, 0x262, 0x5, 0x80000001, 0x3, r5}, &(0x7f0000000780)=0x20)
setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER_VALUE(r0, 0x84, 0x7c, &(0x7f0000000140)={r5, 0x1000100800001, 0x3}, 0x8)
r6 = semget(0x3, 0x3, 0x10)
getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f0000000480)={{{@in=@loopback, @in=@multicast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r7=>0x0}}, {{@in6=@local}, 0x0, @in=@empty}}, &(0x7f0000000580)=0xe8)
getresgid(&(0x7f00000005c0), &(0x7f0000000600)=<r8=>0x0, &(0x7f0000000640))
r9 = geteuid()
fstat(r0, &(0x7f0000000680)={0x0, 0x0, 0x0, 0x0, 0x0, <r10=>0x0})
semctl$IPC_SET(r6, 0x0, 0x1, &(0x7f0000000700)={{0x7, r7, r8, r9, r10, 0x1, 0x3}, 0x7, 0x2, 0x1})

15:42:22 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x1, 0x101040)
mount(&(0x7f0000003d00)=@filename='./file0\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:22 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6800000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  369.230354][ T7756] binder: send failed reply for transaction 1517 to 10634:10641
[  369.251829][T10819] binder_alloc: 10792: binder_alloc_buf, no vma
[  369.256562][ T7756] binder: send failed reply for transaction 1518 to 10792:10819
[  369.288401][T10825] binder: BINDER_SET_CONTEXT_MGR already set
[  369.309878][ T7756] binder: undelivered transaction 1521, process died.
[  369.317057][T10819] binder: 10792:10819 transaction failed 29189/-3, size 24-8 line 3147
[  369.327287][T10833] ceph: device name is missing path (no : separator in ./file0)
15:42:22 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf0ffff, 0x0)

[  369.346254][T10825] binder: 10824:10825 ioctl 40046207 0 returned -16
[  369.367490][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
15:42:22 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x200000000000000}], 0x0}}}], 0x0, 0x0, 0x0})

[  369.393779][ T7756] binder: undelivered TRANSACTION_COMPLETE
[  369.429315][ T7756] binder: undelivered TRANSACTION_COMPLETE
[  369.468125][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
15:42:22 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x1000000, 0x0)

[  369.500539][ T7756] binder: undelivered TRANSACTION_COMPLETE
[  369.509699][T10998] binder_alloc_mmap_handler: 2 callbacks suppressed
[  369.509721][T10998] binder_alloc: binder_alloc_mmap_handler: 10963 20001000-20004000 already mapped failed -16
[  369.536415][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
[  369.543166][T10998] binder: BINDER_SET_CONTEXT_MGR already set
15:42:22 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6c00000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  369.573806][T11015] binder_alloc: 10963: binder_alloc_buf, no vma
15:42:22 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="5b64aaa6e8c9cd81cd623ac8"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  369.620221][ T7807] binder: release 10963:10971 transaction 1525 out, still active
[  369.631009][T10998] binder: 10963:10998 ioctl 40046207 0 returned -16
[  369.645667][ T7807] binder: unexpected work type, 4, not freed
[  369.659787][T10971] binder_alloc: 10963: binder_alloc_buf, no vma
15:42:22 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$audio(0xffffffffffffff9c, &(0x7f0000000000)='/dev/audio\x00', 0x400000, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000080), 0x4}}, 0x0, 0x0, r2, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
getsockopt$inet_IP_XFRM_POLICY(r2, 0x0, 0x11, &(0x7f00000002c0)={{{@in6=@mcast2, @in6=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r3=>0x0}}, {{@in=@remote}, 0x0, @in6}}, &(0x7f0000000140)=0xe8)
r4 = getgid()
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', r3, r4, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)

[  369.682048][T11054] binder: BINDER_SET_CONTEXT_MGR already set
[  369.683032][ T7807] binder: undelivered TRANSACTION_COMPLETE
15:42:22 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$CAPI_MANUFACTURER_CMD(r2, 0xc0084320, &(0x7f0000000140)={0x4, &(0x7f0000000000)="5f25e30898ec5db788593b50d04488722fb70efbe5fe45a0d12fb9ecba418c9014efd4be68059dcc6717e6196b88e633dda8fc0cd9b9a0b0bae1a604f1dc6760376a4f399b8f8da85426c1c564951a8094e1a40b4f0f7e1c90a572b4d1be3934ac8d35bcb8f25b7f2f14fe92184c8f7fcae7102905ebcf51e30f2e2bdbbcef5bf317aa813eb4c7a85bdd0ada13cdebcfaaa053ce3b7baa3949d642bc6ca82b8e46d47ca90c137a52307f11fa7e388f14f91c01a8cfd928"})
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  369.727234][T11015] binder: 10963:11015 transaction failed 29189/-3, size 24-8 line 3147
[  369.729947][T11054] binder: 11053:11054 ioctl 40046207 0 returned -16
[  369.744493][T11058] ceph: device name is missing path (no : separator in [d����́�b:�)
[  369.756786][ T7807] binder: undelivered TRANSACTION_COMPLETE
[  369.773730][T10971] binder: 10963:10971 transaction failed 29189/-3, size 24-0 line 3147
[  369.791035][ T7756] binder: send failed reply for transaction 1525, target dead
[  369.803359][ T7756] binder: undelivered transaction 1528, process died.
15:42:22 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x1800000000000000}], 0x0}}}], 0x0, 0x0, 0x0})

[  369.850055][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
[  369.881634][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
15:42:22 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2000000, 0x0)

15:42:22 executing program 1:
r0 = syz_open_dev$media(&(0x7f0000000080)='/dev/media#\x00', 0x6, 0x0)
getsockopt$inet_dccp_int(r0, 0x21, 0x1f, &(0x7f00000001c0), &(0x7f0000000140)=0x4)
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[d::L:/llb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
openat$apparmor_thread_current(0xffffffffffffff9c, &(0x7f0000000000)='/proc/thread-self/attr/current\x00', 0x2, 0x0)
mkdir(&(0x7f0000000180)='./file0\x00', 0x100)

15:42:22 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7400000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  370.009677][T11272] binder_alloc: binder_alloc_mmap_handler: 11270 20001000-20004000 already mapped failed -16
15:42:23 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
getgroups(0x2, &(0x7f0000000080)=[0xffffffffffffffff, <r3=>0xee00])
getsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f00000002c0)={{{@in6=@empty, @in=@multicast2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r4=>0x0}}, {{@in6=@remote}, 0x0, @in=@dev}}, &(0x7f0000000140)=0xe8)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', r4, r3, 0x2)
r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
syz_extract_tcp_res$synack(&(0x7f0000000000), 0x1, 0x0)
ioctl$KVM_RUN(r5, 0xae80, 0x0)

[  370.069857][T11271] binder: BINDER_SET_CONTEXT_MGR already set
[  370.108016][T11280] binder: BINDER_SET_CONTEXT_MGR already set
[  370.119369][T11271] binder: 11270:11271 ioctl 40046207 0 returned -16
[  370.129626][T11280] binder: 11278:11280 ioctl 40046207 0 returned -16
[  370.130352][T11284] libceph: resolve 'd' (ret=-3): failed
15:42:23 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$BLKSECTGET(r2, 0x1267, &(0x7f0000000000))
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  370.172018][T11272] binder_alloc: 11270: binder_alloc_buf, no vma
[  370.178149][T11284] libceph: parse_ips bad ip '[d::L'
[  370.182566][ T7756] binder: release 11270:11271 transaction 1532 out, still active
[  370.191390][ T7756] binder: unexpected work type, 4, not freed
[  370.202540][T11272] binder: 11270:11272 transaction failed 29189/-3, size 24-8 line 3147
[  370.211078][T11283] binder_alloc: 11270: binder_alloc_buf, no vma
15:42:23 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3000000, 0x0)

[  370.259463][T11283] binder: 11270:11283 transaction failed 29189/-3, size 24-0 line 3147
[  370.271751][ T7756] binder: undelivered TRANSACTION_COMPLETE
15:42:23 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0xfdfdffff00000000}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:23 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7a00000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  370.311282][ T7756] binder: undelivered TRANSACTION_COMPLETE
[  370.349186][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
15:42:23 executing program 1:
mkdir(&(0x7f0000000000)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  370.396605][ T7756] binder: send failed reply for transaction 1532, target dead
[  370.437381][ T7756] binder: undelivered transaction 1535, process died.
[  370.448768][T11503] binder_alloc: binder_alloc_mmap_handler: 11497 20001000-20004000 already mapped failed -16
[  370.459577][T11502] binder: BINDER_SET_CONTEXT_MGR already set
[  370.518464][T11502] binder: 11501:11502 ioctl 40046207 0 returned -16
[  370.525422][T11498] binder: BINDER_SET_CONTEXT_MGR already set
[  370.561405][T11498] binder: 11497:11498 ioctl 40046207 0 returned -16
[  370.561618][T11524] binder_alloc: 11497: binder_alloc_buf, no vma
15:42:23 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4000000, 0x0)

[  370.603812][T11524] binder: 11497:11524 transaction failed 29189/-3, size 24-8 line 3147
[  370.613226][ T7807] binder: send failed reply for transaction 1539 to 11497:11498
[  370.621133][ T7807] binder: undelivered transaction 1542, process died.
15:42:23 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x2}}], 0x0, 0x0, 0x0})

15:42:23 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000000)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$RTC_EPOCH_SET(r2, 0x4004700e, 0x101)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:23 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0xfdfdffff00000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:23 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
ioctl$TUNSETLINK(r1, 0x400454cd, 0x320)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x1)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f00000002c0)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  370.784612][T11671] binder: 11662:11671 got transaction with unaligned buffers size, 2
[  370.811874][T11692] binder: BINDER_SET_CONTEXT_MGR already set
15:42:23 executing program 1:
bpf$OBJ_GET_MAP(0x7, &(0x7f0000000080)={&(0x7f0000000000)='./file0\x00'}, 0x10)
r0 = syz_open_dev$evdev(&(0x7f0000000100)='/dev/input/event#\x00', 0x9, 0x80000)
r1 = syz_open_dev$vcsa(&(0x7f00000001c0)='/dev/vcsa#\x00', 0x62, 0x80080)
r2 = syz_genetlink_get_family_id$tipc(&(0x7f00000013c0)='TIPC\x00')
sendmsg$TIPC_CMD_RESET_LINK_STATS(r1, &(0x7f0000001480)={&(0x7f0000001380)={0x10, 0x0, 0x0, 0xa0083000}, 0xc, &(0x7f0000001440)={&(0x7f0000001400)={0x30, r2, 0x100, 0x70bd2b, 0x25dfdbfc, {{}, 0x0, 0x410c, 0x0, {0x14, 0x14, 'broadcast-link\x00'}}, ["", "", ""]}, 0x30}, 0x1, 0x0, 0x0, 0x80}, 0x0)
ioctl$EVIOCGNAME(r0, 0x80404506, &(0x7f0000000240)=""/4096)
mkdir(&(0x7f0000000140)='./file0/file0\x00', 0x10)
fstat(r0, &(0x7f0000001240)={0x0, 0x0, 0x0, 0x0, <r3=>0x0})
quotactl(0xba3b, &(0x7f0000000180)='./file0\x00', r3, &(0x7f00000012c0)="3e5b182b897429fcb5d6e49bfad9a957cbac14da0dc539aae1fc8f09e099bbfb0a9ab811ded3f7cb3e546050d1dc3c6014caba9a930d2962ebf0d989e27254dfe8dd74725e4d866c9173741833978a01f17075031a941cf64afa2b12f4f23d2eb9f9aed64584c1bc40afdd62fec309d4154c14c612676d27cc443cae1efbd418279160ece1d53a00")
clone(0x22000, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="5b8a537e4a3a2f6c05003a00"], &(0x7f0000000200)='./file0\x00', &(0x7f00000000c0)='ceph\x00', 0xfffffffffffffffd, 0x0)

[  370.847024][T11692] binder: 11674:11692 ioctl 40046207 0 returned -16
[  370.857810][T11671] binder: 11662:11671 transaction failed 29201/-22, size 24-0 line 3210
[  370.914897][T11751] binder_alloc: binder_alloc_mmap_handler: 11662 20001000-20004000 already mapped failed -16
15:42:23 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x5000000, 0x0)

15:42:23 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x630b, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  371.053801][T11751] binder_alloc: 11662: binder_alloc_buf, no vma
15:42:24 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)
ioctl$FS_IOC_GETVERSION(r1, 0x80047601, &(0x7f0000000000))

[  371.100688][T11879] binder: BINDER_SET_CONTEXT_MGR already set
[  371.104813][T11751] binder: 11662:11751 transaction failed 29189/-3, size 24-8 line 3147
[  371.123645][T26837] binder: send failed reply for transaction 1545 to 11662:11671
[  371.131893][T11879] binder: 11878:11879 ioctl 40046207 0 returned -16
15:42:24 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x18}}], 0x0, 0x0, 0x0})

15:42:24 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
r0 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x8, 0x4000)
r1 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00')
sendmsg$TIPC_CMD_GET_REMOTE_MNG(r0, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x1008400}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x1c, r1, 0x14, 0x70bd2a, 0x25dfdbff, {}, ["", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x4000000}, 0x20000000)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:24 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x6000000, 0x0)

[  371.309662][T12037] binder_alloc: binder_alloc_mmap_handler: 12015 20001000-20004000 already mapped failed -16
15:42:24 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vcs\x00', 0x0, 0x0)
ioctl$EVIOCREVOKE(r2, 0x40044591, &(0x7f0000000140)=0x9)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/infiniband/rdma_cm\x00', 0x2, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:24 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x630c, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  371.354375][T12028] binder: BINDER_SET_CONTEXT_MGR already set
[  371.385295][T12028] binder: 12015:12028 ioctl 40046207 0 returned -16
[  371.442528][T26837] binder: send failed reply for transaction 1552 to 12015:12028
[  371.450253][T26837] binder: undelivered transaction 1555, process died.
15:42:24 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x1800}}], 0x0, 0x0, 0x0})

[  371.500020][T12072] binder: 12071:12072 unknown command 0
[  371.525019][T12072] binder: 12071:12072 ioctl c0306201 200002c0 returned -22
[  371.603966][T12113] binder: BINDER_SET_CONTEXT_MGR already set
[  371.631088][T12113] binder: 12104:12113 ioctl 40046207 0 returned -16
[  371.670224][T12255] binder_alloc: binder_alloc_mmap_handler: 12104 20001000-20004000 already mapped failed -16
15:42:24 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7000000, 0x0)

15:42:24 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)

[  371.716984][T12113] binder: BINDER_SET_CONTEXT_MGR already set
15:42:24 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x630d, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  371.773275][T12113] binder: 12104:12113 ioctl 40046207 0 returned -16
[  371.785046][ T7756] binder: release 12104:12288 transaction 1562 out, still active
[  371.806277][ T7756] binder: unexpected work type, 4, not freed
15:42:24 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x1000000}}], 0x0, 0x0, 0x0})

15:42:24 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:24 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000980))
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)
preadv(r3, &(0x7f0000000940)=[{&(0x7f0000000600)=""/227, 0xe3}, {&(0x7f0000000700)=""/173, 0xad}, {&(0x7f00000007c0)=""/236, 0xec}, {&(0x7f00000008c0)=""/95, 0x5f}, {&(0x7f0000000140)=""/39, 0x27}], 0x5, 0x0)
ioctl$sock_SIOCGPGRP(r3, 0x8904, &(0x7f0000000340)=<r5=>0x0)
getsockopt$inet6_IPV6_XFRM_POLICY(r3, 0x29, 0x23, &(0x7f0000000380)={{{@in=@loopback, @in6=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r6=>0x0}}, {{@in=@broadcast}, 0x0, @in6=@empty}}, &(0x7f0000000480)=0xe8)
lstat(&(0x7f00000004c0)='./file0\x00', &(0x7f0000000500)={0x0, 0x0, 0x0, 0x0, 0x0, <r7=>0x0})
sendmsg$unix(r3, &(0x7f00000005c0)={&(0x7f0000000000)=@file={0x0, './file0\x00'}, 0x6e, &(0x7f0000000300)=[{&(0x7f0000000080)="eacaa7f5e123", 0x6}, {&(0x7f0000000140)}, {&(0x7f00000002c0)="57d11eb33c900b570575280eb61dc37ab8d7d048a8605a2171d7f2da7fbefc", 0x1f}], 0x3, &(0x7f0000000580)=[@rights={0x1c, 0x1, 0x1, [r1, r2, r0, r4]}, @cred={0x18, 0x1, 0x2, r5, r6, r7}], 0x34, 0x80}, 0x20000000)

[  371.833559][ T7756] binder: release 12104:12113 transaction 1558 out, still active
[  371.852055][T12297] binder: BINDER_SET_CONTEXT_MGR already set
[  371.857451][ T7756] binder: unexpected work type, 4, not freed
15:42:24 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x7, 0x200)
setsockopt$IP_VS_SO_SET_STOPDAEMON(r1, 0x0, 0x48c, &(0x7f0000000080)={0x0, 'dummy0\x00', 0x2}, 0x18)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})

[  371.921681][T12297] binder: 12296:12297 ioctl 40046207 0 returned -16
[  371.921752][ T7756] binder: send failed reply for transaction 1557 to 12071:12072
[  371.978611][ T7756] binder: send failed reply for transaction 1558, target dead
[  371.986375][T12332] binder_alloc: binder_alloc_mmap_handler: 12305 20001000-20004000 already mapped failed -16
[  371.990643][ T7756] binder: send failed reply for transaction 1562, target dead
[  372.025537][T12314] binder: BINDER_SET_CONTEXT_MGR already set
[  372.038267][T12314] binder: 12305:12314 ioctl 40046207 0 returned -16
[  372.038529][T12332] binder_alloc: 12305: binder_alloc_buf, no vma
[  372.062647][T12314] binder_alloc: 12305: binder_alloc_buf, no vma
[  372.069464][ T7807] binder: release 12305:12314 transaction 1566 out, still active
15:42:25 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8000000, 0x0)

[  372.082549][ T7807] binder: unexpected work type, 4, not freed
[  372.107699][ T7807] binder: send failed reply for transaction 1566, target dead
15:42:25 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x2000000}}], 0x0, 0x0, 0x0})

15:42:25 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40046302, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:25 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
setxattr$security_evm(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='security.evm\x00', &(0x7f0000000140)=@v1={0x2, "3af05789ad8ac46c134b0e5b65"}, 0xe, 0x1)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:25 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:25 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = syz_open_dev$usbmon(&(0x7f00000000c0)='/dev/usbmon#\x00', 0x47, 0x40000)
ioctl$KVM_REINJECT_CONTROL(r0, 0xae71, &(0x7f0000000240)={0x2})
getxattr(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)=@known='system.advise\x00', &(0x7f0000000140)=""/130, 0x82)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  372.311873][T12519] binder: BC_ACQUIRE_RESULT not supported
[  372.326683][T12530] binder: BINDER_SET_CONTEXT_MGR already set
[  372.341730][T12519] binder: 12500:12519 ioctl c0306201 200002c0 returned -22
[  372.350737][T12530] binder: 12529:12530 ioctl 40046207 0 returned -16
[  372.403602][T12533] binder_alloc: binder_alloc_mmap_handler: 12529 20001000-20004000 already mapped failed -16
15:42:25 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xa000000, 0x0)

[  372.449262][T12530] binder: BINDER_SET_CONTEXT_MGR already set
[  372.463280][T12530] binder: 12529:12530 ioctl 40046207 0 returned -16
[  372.509468][ T7756] binder: release 12529:12533 transaction 1578 out, still active
15:42:25 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x18000000}}], 0x0, 0x0, 0x0})

15:42:25 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40046304, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  372.555375][ T7756] binder: unexpected work type, 4, not freed
[  372.564669][ T7756] binder: release 12529:12533 transaction 1574 out, still active
[  372.580439][ T7756] binder: unexpected work type, 4, not freed
[  372.594491][ T7756] binder: send failed reply for transaction 1573 to 12500:12519
[  372.611397][ T7756] binder: send failed reply for transaction 1574, target dead
[  372.640797][ T7756] binder: send failed reply for transaction 1578, target dead
[  372.665161][T12698] binder: BINDER_SET_CONTEXT_MGR already set
[  372.674051][T12700] binder_alloc: binder_alloc_mmap_handler: 12660 20001000-20004000 already mapped failed -16
[  372.679651][T12698] binder: 12677:12698 ioctl 40046207 0 returned -16
15:42:25 executing program 5:
r0 = openat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x8800, 0x10)
getsockopt$inet_sctp6_SCTP_RECVRCVINFO(r0, 0x84, 0x20, &(0x7f00000002c0), &(0x7f0000000300)=0x4)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$radio(&(0x7f0000000340)='/dev/radio#\x00', 0x2, 0x2)
epoll_wait(r3, &(0x7f0000000380)=[{}, {}, {}], 0x3, 0x400)
r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
getsockname$inet6(r4, &(0x7f0000000400)={0xa, 0x0, 0x0, @empty}, &(0x7f0000000440)=0x1c)
r5 = getegid()
r6 = geteuid()
fchownat(r4, &(0x7f0000000080)='./file0\x00', r6, r5, 0x1400)
r7 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
setsockopt$inet_sctp6_SCTP_MAX_BURST(r0, 0x84, 0x14, &(0x7f00000003c0)=@int=0x8, 0x4)
getsockopt$inet_sctp_SCTP_DISABLE_FRAGMENTS(r4, 0x84, 0x8, &(0x7f0000000040), &(0x7f0000000140)=0x4)
ioctl$KVM_SET_REGS(r7, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r7, 0xae80, 0x0)

[  372.712696][T12681] binder: BINDER_SET_CONTEXT_MGR already set
15:42:25 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x1, 0x0)
ioctl$KVM_CREATE_PIT2(r2, 0x4040ae77, &(0x7f0000000040)={0x7})
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
openat$cuse(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cuse\x00', 0x2, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$int_out(r1, 0x5462, &(0x7f0000000080))
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_SET_GSI_ROUTING(r2, 0x4008ae6a, &(0x7f00000003c0)=ANY=[@ANYBLOB="04000000000000000080000002000000000000000000000000000000000000800000000000000000000000000000000000000000000000000000008007002000000000000000000003000000001000000000000000ffeb0000000000000000000000000000000000000000000100000000000000000000000600000000000000040000000000000003000000000000000700000000000c0008000000020000000000000000000000b20d0000fba300000000000000000000000000000000000000000000000000008f84d55ad7ef2520e6281590455a454fe19c53603ee746ac1c742a0b3f5eb88fac4564473c68e823"])
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:25 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
r0 = syz_open_dev$dspn(&(0x7f0000000180)='/dev/dsp#\x00', 0x9, 0x0)
ioctl$TIOCGSID(r0, 0x5429, &(0x7f0000000040)=<r1=>0x0)
ioctl$TIOCSPGRP(r0, 0x5410, &(0x7f00000002c0)=r1)
getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(0xffffffffffffff9c, 0x84, 0x6f, &(0x7f00000001c0)={<r2=>0x0, 0x68, &(0x7f0000000380)=[@in6={0xa, 0x4e23, 0x40, @initdev={0xfe, 0x88, [], 0x1, 0x0}, 0x1000}, @in={0x2, 0x4e21, @broadcast}, @in6={0xa, 0x4e24, 0x2, @empty, 0x8}, @in={0x2, 0x4e21, @rand_addr=0x4}, @in={0x2, 0x4e21, @dev={0xac, 0x14, 0x14, 0x23}}]}, &(0x7f0000000400)=0xc)
setsockopt$inet_sctp_SCTP_AUTH_DELETE_KEY(r0, 0x84, 0x19, &(0x7f0000000240)={r2, 0xfffffffffffffffb}, 0x8)
getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r0, 0x84, 0x73, &(0x7f0000000440)={r2, 0x4, 0x10, 0xffffffff, 0x1}, &(0x7f0000000480)=0x18)
getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000000000)={<r3=>0x0}, &(0x7f0000000080)=0xc)
getsockopt$inet_sctp6_SCTP_DISABLE_FRAGMENTS(r0, 0x84, 0x8, &(0x7f0000000300), &(0x7f0000000600)=0x4)
setsockopt$inet_sctp6_SCTP_DELAYED_SACK(r0, 0x84, 0x10, &(0x7f00000004c0)=@sack_info={r2, 0x7}, 0xc)
r4 = openat$zero(0xffffffffffffff9c, &(0x7f0000000140)='/dev/zero\x00', 0x0, 0x0)
setsockopt$inet6_tcp_TCP_MD5SIG(r4, 0x6, 0xe, &(0x7f0000000500)={@in6={{0xa, 0x4e22, 0x3, @mcast1, 0x2}}, 0x0, 0x8000, 0x0, "2050b2f3d678c5185f83b758e15b34b1efc454679e5fab66f5f4939f5a225898c4b0aba5d14b57df0636f35f06cf5bd8d3746adf38c2372a1aae9cd27118156f39574503e2dca131dd2ae7049a0a5a52"}, 0x23c)
sched_getattr(r3, &(0x7f00000000c0), 0x30, 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000280)=ANY=[@ANYBLOB="f63f3b214a16b23c6cdf42b1d5dc4f4e913efc92f0ac8e5064c8750983e8616c90f34e7517"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:25 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x20000000, 0x0)

[  372.820374][T12681] binder: 12660:12681 ioctl 40046207 0 returned -16
15:42:25 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40046307, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  372.862568][T12850] binder_alloc: 12660: binder_alloc_buf, no vma
[  372.883528][T12865] ceph: device name is missing path (no : separator in �?;!J�<l�B���ON�>���Pd�u	��al��Nu)
[  372.895748][T26837] binder: send failed reply for transaction 1582 to 12660:12681
15:42:25 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0xfdfdffff}}], 0x0, 0x0, 0x0})

[  373.011606][T12916] binder: 12901:12916 DecRefs 0 refcount change on invalid ref 0 ret -22
[  373.044185][T12948] binder: BINDER_SET_CONTEXT_MGR already set
[  373.062813][T12916] binder: 12901:12916 unknown command 0
[  373.090475][T12948] binder: 12946:12948 ioctl 40046207 0 returned -16
15:42:26 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
removexattr(&(0x7f0000000000)='./file0\x00', &(0x7f0000000380)=ANY=[@ANYBLOB="73656375726974792e2176626f786e6574302800c684b8d027cb346c88652b1e56f603d00c504f8905bedd821d0a9ffecb87707ba5c668b58a7757c4fff824f3a93b16226dec69a868077a728564df644d842f3affbad8d7c2d10bc3aa8ffce8d4f6e0a1f18894330b2c60db164b433e350c37d982ee1973bb08fbf52b259cc096ceb0846aab10cb3a943402ebf87e823c0ae556a5b941971b27800911be10e58f0747e762c68ba752012c87d4431fa9691228345da04c3f9fd350f21ea67d814e7c0923df76907a74c9ee3681969d4aff8c8dd4874a338fe20f6d50dfa822c7ad500e3808c3c33427aca3d29b2747ee2608dad85891955abf1b06834c589ea989fad63e65b32f86d83e050509000007a36cfb3423da8d87"])

[  373.109270][T12916] binder: 12901:12916 ioctl c0306201 200002c0 returned -22
15:42:26 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x20100000, 0x0)

[  373.147945][T12980] binder_alloc: binder_alloc_mmap_handler: 12946 20001000-20004000 already mapped failed -16
[  373.187719][    T5] binder: release 12946:12948 transaction 1593 out, still active
[  373.230448][    T5] binder: unexpected work type, 4, not freed
15:42:26 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
openat$proc_capi20(0xffffffffffffff9c, &(0x7f0000000000)='/proc/capi/capi20\x00', 0x10000, 0x0)
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:26 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0xfffffdfd}}], 0x0, 0x0, 0x0})

[  373.270570][    T5] binder: release 12946:12980 transaction 1589 out, still active
[  373.281230][    T5] binder: unexpected work type, 4, not freed
[  373.343878][T13141] binder: BINDER_SET_CONTEXT_MGR already set
15:42:26 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x24010000, 0x0)

15:42:26 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40086303, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  373.389242][T13141] binder: 13140:13141 ioctl 40046207 0 returned -16
[  373.424881][T26837] binder: send failed reply for transaction 1589, target dead
[  373.447990][T26837] binder: send failed reply for transaction 1593, target dead
[  373.475423][T13209] binder_transaction: 9 callbacks suppressed
[  373.475440][T13209] binder: 13140:13209 transaction failed 29189/-22, size 24-8 line 2994
15:42:26 executing program 1:
r0 = openat$full(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full\x00', 0x400040, 0x0)
ioctl$KVM_REGISTER_COALESCED_MMIO(r0, 0x4010ae67, &(0x7f00000000c0)={0x0, 0x1000})
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
pipe2(&(0x7f0000000000)={0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x4000)
ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_INFO(r1, 0x40bc5311, &(0x7f0000000140)={0xff, 0xdaafb0179691a77c, 'client1\x00', 0xffffffff80000000, "79debe2afae7eb0c", "d50ad35a4b8c379f601bf21bd5a0fd5f56da37ad02113fe2db8e7bef71ce28cc", 0x4, 0xac})
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
getsockopt$inet_sctp_SCTP_PR_STREAM_STATUS(r1, 0x84, 0x74, &(0x7f0000000240)=""/142, &(0x7f0000000300)=0x8e)

[  373.520207][T13141] binder: 13140:13141 transaction failed 29189/-22, size 24-0 line 2994
[  373.544904][T13212] binder: 13211:13212 BC_FREE_BUFFER u0000000000000000 no match
15:42:26 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = syz_open_dev$amidi(&(0x7f0000000000)='/dev/amidi#\x00', 0x1f, 0x280400)
r2 = syz_genetlink_get_family_id$SEG6(&(0x7f0000000080)='SEG6\x00')
sendmsg$SEG6_CMD_SETHMAC(r1, &(0x7f0000000300)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x40000040}, 0xc, &(0x7f00000002c0)={&(0x7f0000000140)={0x38, r2, 0x420, 0x70bd29, 0x7, {}, [@SEG6_ATTR_HMACKEYID={0x8, 0x3, 0x5}, @SEG6_ATTR_HMACKEYID={0x8, 0x3, 0x4}, @SEG6_ATTR_DST={0x14, 0x1, @initdev={0xfe, 0x88, [], 0x1, 0x0}}]}, 0x38}, 0x1, 0x0, 0x0, 0x800}, 0xc010)
r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000ffb000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

[  373.603414][T13212] binder: 13211:13212 unknown command 0
[  373.610559][T13212] binder: 13211:13212 ioctl c0306201 200002c0 returned -22
[  373.615116][T13209] binder: BINDER_SET_CONTEXT_MGR already set
[  373.640802][T26837] binder_release_work: 20 callbacks suppressed
[  373.640809][T26837] binder: undelivered TRANSACTION_ERROR: 29189
[  373.686200][T13209] binder: 13140:13209 ioctl 40046207 0 returned -16
[  373.708985][T26837] binder: undelivered TRANSACTION_ERROR: 29189
[  373.740742][T26837] binder: release 13140:13221 transaction 1600 out, still active
15:42:26 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3f000000, 0x0)

[  373.795957][T26837] binder: unexpected work type, 4, not freed
15:42:26 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x100000000000000}}], 0x0, 0x0, 0x0})

15:42:26 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x4008630a, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  373.846807][T26837] binder: send failed reply for transaction 1600, target dead
[  373.908985][T26837] binder: undelivered TRANSACTION_ERROR: 29189
[  373.918463][T13429] binder: 13428:13429 transaction failed 29201/-28, size 24-0 line 3147
[  373.934445][T13434] binder: BINDER_SET_CONTEXT_MGR already set
15:42:26 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x1000000, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
socket$inet6_tcp(0xa, 0x1, 0x0)
mount(&(0x7f0000000240)=ANY=[@ANYBLOB="5b32770d0300000000000000623a008f9b84a71ed1cf505a0bad094b69fc574ff62e48ffe47f3e5ee022eab885a2ef85436260074efd15673be8b837e05a66d669f33ff61b4a27bb023edebc5f57083571ef81775fb3e37b2573245e5a9f940b70c6ce9d0f1902a2a9ed3077b8bf04f94dd23670f0aac33d83bb6e65366b6c1183899a987a34391a106715e4c4019008df4c2753625415514b04aae5f96fd3f2e19687562d86abfd26d3b2dcf8fdd508c7d4f263beb712f6ece2f04de85b98152f1f1cdfe0a715ec6a16949182b12bf52fb6c88b810a699aebf9a61b30d55ab64393de2c1a24"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  373.954201][T13434] binder: 13430:13434 ioctl 40046207 0 returned -16
[  373.978606][T13429] binder: BINDER_SET_CONTEXT_MGR already set
[  373.998157][T13440] binder_alloc: 13428: binder_alloc_buf, no vma
[  374.005422][T13429] binder: 13428:13429 ioctl 40046207 0 returned -16
[  374.012206][T13440] binder: 13428:13440 transaction failed 29189/-3, size 24-8 line 3147
[  374.020937][   T17] binder: release 13428:13429 transaction 1604 out, still active
[  374.031789][   T17] binder: unexpected work type, 4, not freed
[  374.044736][   T17] binder_release_work: 18 callbacks suppressed
[  374.044742][   T17] binder: undelivered TRANSACTION_COMPLETE
15:42:26 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x200000000000000}}], 0x0, 0x0, 0x0})

15:42:27 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
ioctl$KVM_ASSIGN_SET_MSIX_NR(r1, 0x4008ae73, &(0x7f0000000140)={0x1f, 0xff})
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
getgid()
r4 = getgid()
fchownat(0xffffffffffffffff, &(0x7f0000000340)='./file0\x00', 0x0, r4, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r2, 0x84, 0x1a, &(0x7f00000002c0)={<r6=>0x0, 0x3b, "4e94ec3ae6409498d4d1e76095fef3fc6a8798ce8953da8bfd2ce018be447714f1afb75dabe4986f4e50b39bcc4252831a4a66b28e1fa29885d2e3"}, &(0x7f0000000000)=0x43)
setsockopt$inet_sctp6_SCTP_AUTH_DEACTIVATE_KEY(r3, 0x84, 0x23, &(0x7f0000000080)={r6, 0x3}, 0x8)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$CAPI_NCCI_OPENCOUNT(r3, 0x80044326, &(0x7f0000000040)=0x3)
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)

15:42:27 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x200200, 0x0)
getsockopt$packet_buf(r1, 0x107, 0x7, &(0x7f00000002c0)=""/156, &(0x7f0000000040)=0x9c)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  374.063902][   T17] binder: undelivered TRANSACTION_ERROR: 29201
[  374.080408][   T17] binder: undelivered TRANSACTION_ERROR: 29189
15:42:27 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40086310, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  374.127766][   T17] binder: send failed reply for transaction 1604, target dead
[  374.160023][T13590] binder: 13577:13590 transaction failed 29201/-28, size 24-0 line 3147
15:42:27 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x40000000, 0x0)

[  374.214816][T13624] binder: BINDER_SET_CONTEXT_MGR already set
15:42:27 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='\x00\x00\x00\x00\x00', 0x0, 0x0)

[  374.262807][T13590] binder: BINDER_SET_CONTEXT_MGR already set
[  374.262852][T13647] binder_alloc: 13577: binder_alloc_buf, no vma
[  374.278872][T13624] binder: 13620:13624 ioctl 40046207 0 returned -16
[  374.308385][T13590] binder: 13577:13590 ioctl 40046207 0 returned -16
[  374.320492][   T17] binder_send_failed_reply: 2 callbacks suppressed
[  374.320503][   T17] binder: send failed reply for transaction 1610 to 13577:13590
[  374.336312][   T17] binder: undelivered TRANSACTION_COMPLETE
[  374.342858][   T17] binder: undelivered TRANSACTION_ERROR: 29201
15:42:27 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0x1800000000000000}}], 0x0, 0x0, 0x0})

15:42:27 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
socket$bt_bnep(0x1f, 0x3, 0x4)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f00000002c0)={<r4=>0x0, @in={{0x2, 0x4e22, @local}}, 0xaa69, 0xd3f9, 0x7fffffff, 0x7fffffff, 0xc1}, &(0x7f0000000000)=0x98)
getsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r2, 0x84, 0x9, &(0x7f0000000380)={r4, @in={{0x2, 0x4e21, @remote}}, 0x8, 0x5, 0xfffffffffffffffc, 0x2, 0xa}, &(0x7f0000000080)=0x98)

[  374.356221][T13647] binder: 13577:13647 transaction failed 29189/-3, size 24-8 line 3147
[  374.357866][   T17] binder: undelivered TRANSACTION_ERROR: 29189
[  374.388871][   T17] binder: undelivered TRANSACTION_ERROR: 29189
15:42:27 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x400c630e, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  374.491886][T13835] binder: 13834:13835 transaction failed 29201/-28, size 24-0 line 3147
15:42:27 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x78030000, 0x0)

15:42:27 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000380)=ANY=[@ANYBLOB='[d::]:/lnb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = syz_open_dev$admmidi(&(0x7f0000000000)='/dev/admmidi#\x00', 0x9, 0x20002)
recvmsg(r0, &(0x7f0000000300)={&(0x7f0000000080)=@hci, 0x80, &(0x7f00000001c0)=[{&(0x7f0000000140)}, {&(0x7f0000000180)=""/35, 0x23}], 0x2, &(0x7f0000000240)=""/152, 0x98}, 0x2)

15:42:27 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
getsockopt$sock_cred(r2, 0x1, 0x11, &(0x7f0000000140)={<r4=>0x0}, &(0x7f00000003c0)=0xc)
write$FUSE_LK(r2, &(0x7f0000000400)={0x28, 0x0, 0x4, {{0x4b5a, 0x6, 0x0, r4}}}, 0x28)
pipe(&(0x7f0000000000)={0xffffffffffffffff, <r5=>0xffffffffffffffff})
getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f00000002c0)={{{@in=@dev, @in=@initdev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r6=>0x0}}, {{@in6=@empty}, 0x0, @in6=@ipv4={[], [], @empty}}}, &(0x7f0000000040)=0xe8)
bind$packet(r5, &(0x7f0000000080)={0x11, 0x1c, r6, 0x1, 0x7}, 0x14)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c8, 0x0, 0x0, 0x0, 0x7fffffffff], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  374.564558][T13878] binder: BINDER_SET_CONTEXT_MGR already set
[  374.586475][T13881] binder_alloc_mmap_handler: 3 callbacks suppressed
[  374.586493][T13881] binder_alloc: binder_alloc_mmap_handler: 13834 20001000-20004000 already mapped failed -16
[  374.627109][T13878] binder: 13877:13878 ioctl 40046207 0 returned -16
[  374.656903][T13835] binder: BINDER_SET_CONTEXT_MGR already set
[  374.719740][T13835] binder: 13834:13835 ioctl 40046207 0 returned -16
[  374.719763][T13983] binder_alloc: 13834: binder_alloc_buf, no vma
15:42:27 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7a020000, 0x0)

15:42:27 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$VIDIOC_QUERYSTD(r2, 0x8008563f, &(0x7f0000000000))
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  374.765261][T13983] binder: 13834:13983 transaction failed 29189/-3, size 24-8 line 3147
[  374.769765][ T7807] binder: release 13834:13835 transaction 1616 out, still active
[  374.782173][ T7807] binder: unexpected work type, 4, not freed
15:42:27 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x400c630f, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  374.806043][ T7807] binder: undelivered TRANSACTION_COMPLETE
[  374.811943][ T7807] binder: undelivered TRANSACTION_ERROR: 29201
15:42:27 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7c030000, 0x0)

15:42:27 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}, 0xfdfdffff00000000}}], 0x0, 0x0, 0x0})

[  374.883699][T14034] binder: BINDER_SET_CONTEXT_MGR already set
[  374.922996][T14034] binder: 14033:14034 ioctl 40046207 0 returned -16
[  374.926709][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
[  374.953091][ T7807] binder: send failed reply for transaction 1616, target dead
[  374.992634][T14105] binder: 14082:14105 transaction failed 29201/-28, size 24-0 line 3147
15:42:28 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x80010000, 0x0)

15:42:28 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x20)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x400080, 0x0)
getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f0000000240)={{{@in6=@mcast1, @in6=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r1=>0x0}}, {{@in=@initdev}, 0x0, @in=@empty}}, &(0x7f00000000c0)=0xe8)
sendmsg$nl_route(r0, &(0x7f0000000380)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x5000}, 0xc, &(0x7f00000001c0)={&(0x7f0000000140)=@ipv4_getaddr={0x58, 0x16, 0x100, 0x70bd2b, 0x25dfdbfe, {0x2, 0x38, 0x10, 0x0, r1}, [@IFA_LABEL={0x14, 0x3, 'veth0\x00'}, @IFA_ADDRESS={0x8, 0x1, @rand_addr=0x4}, @IFA_BROADCAST={0x8, 0x4, @multicast2}, @IFA_ADDRESS={0x8, 0x1, @initdev={0xac, 0x1e, 0x0, 0x0}}, @IFA_LABEL={0x14, 0x3, 'ip6gretap0\x00'}]}, 0x58}}, 0x4004000)
r2 = epoll_create1(0x0)
r3 = openat$rtc(0xffffffffffffff9c, &(0x7f00000001c0)='/dev/rtc\x00', 0x0, 0x0)
epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r3, &(0x7f0000000040))
setsockopt$inet_mreqn(r0, 0x0, 0x0, &(0x7f00000003c0)={@multicast1, @remote, r1}, 0xc)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  375.058478][T14177] binder_alloc: binder_alloc_mmap_handler: 14082 20001000-20004000 already mapped failed -16
15:42:28 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40106308, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  375.109003][T14105] binder: BINDER_SET_CONTEXT_MGR already set
15:42:28 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
fsetxattr$security_smack_transmute(r0, &(0x7f0000000300)='security.SMACK64TRANSMUTE\x00', &(0x7f0000000340)='TRUE', 0x4, 0x1)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
write$RDMA_USER_CM_CMD_CREATE_ID(r2, &(0x7f0000000140)={0x0, 0x18, 0xfa00, {0x1, &(0x7f0000000080)={<r4=>0xffffffffffffffff}, 0x13f, 0x6}}, 0x20)
write$RDMA_USER_CM_CMD_NOTIFY(r2, &(0x7f00000002c0)={0xf, 0x8, 0xfa00, {r4, 0x8}}, 0x10)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5], 0x1f000})
ioctl$KVM_DEASSIGN_PCI_DEVICE(r2, 0x4040ae72, &(0x7f0000000000)={0x6, 0x0, 0x7, 0x4, 0x1})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:28 executing program 0:
r0 = openat(0xffffffffffffffff, &(0x7f0000000000)='./file0\x00', 0x404800, 0x164)
ioctl$KVM_GET_NESTED_STATE(r0, 0xc080aebe, &(0x7f00000002c0)={0x0, 0x0, 0x2080})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$sock_SIOCBRADDBR(r0, 0x89a0, &(0x7f0000000040)='veth1_to_team\x00')
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  375.155077][T14105] binder: 14082:14105 ioctl 40046207 0 returned -16
15:42:28 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x80969800, 0x0)

[  375.213974][ T7756] binder: release 14082:14105 transaction 1622 out, still active
[  375.221934][ T7756] binder: unexpected work type, 4, not freed
[  375.239624][T14231] binder: BINDER_SET_CONTEXT_MGR already set
15:42:28 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x2, 0x0, 0x0})

[  375.273344][T14231] binder: 14230:14231 ioctl 40046207 0 returned -16
[  375.280687][ T7756] binder: undelivered TRANSACTION_COMPLETE
[  375.299451][ T7756] binder: send failed reply for transaction 1622, target dead
[  375.328690][T14231] binder: 14230:14231 transaction failed 29189/-22, size 0-0 line 2994
15:42:28 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8cffffff, 0x0)

[  375.406131][T14265] binder: 14253:14265 ioctl c0306201 200002c0 returned -14
15:42:28 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
recvmmsg(0xffffffffffffff9c, &(0x7f0000004ec0)=[{{&(0x7f00000002c0), 0x80, &(0x7f0000000080)=[{&(0x7f0000000340)=""/218, 0xda}, {&(0x7f0000000440)=""/4096, 0x1000}, {&(0x7f0000001440)=""/87, 0x57}, {&(0x7f00000014c0)=""/140, 0x8c}, {&(0x7f0000000000)=""/28, 0x1c}], 0x5, &(0x7f0000001580)=""/111, 0x6f}, 0x8}, {{&(0x7f0000001600)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @mcast2}}}, 0x80, &(0x7f0000000140)=[{&(0x7f0000001680)=""/210, 0xd2}, {&(0x7f0000001780)=""/144, 0x90}, {&(0x7f0000001840)=""/82, 0x52}, {&(0x7f00000018c0)=""/93, 0x5d}, {&(0x7f0000001940)=""/214, 0xd6}, {&(0x7f0000001a40)=""/128, 0x80}, {&(0x7f0000001ac0)=""/187, 0xbb}], 0x7, &(0x7f0000001b80)=""/36, 0x24}, 0x400000000}, {{&(0x7f0000001bc0)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @local}}}, 0x80, &(0x7f0000002f00)=[{&(0x7f0000001c40)=""/85, 0x55}, {&(0x7f0000001cc0)=""/4096, 0x1000}, {&(0x7f0000002cc0)=""/82, 0x52}, {&(0x7f0000002d40)=""/221, 0xdd}, {&(0x7f0000002e40)=""/185, 0xb9}], 0x5, &(0x7f0000002f40)=""/221, 0xdd}, 0x1}, {{&(0x7f0000003040)=@hci, 0x80, &(0x7f0000003380)=[{&(0x7f00000030c0)}, {&(0x7f0000003100)=""/231, 0xe7}, {&(0x7f0000003200)=""/78, 0x4e}, {&(0x7f0000003280)=""/243, 0xf3}], 0x4, &(0x7f00000033c0)=""/64, 0x40}, 0x1}, {{&(0x7f0000003400)=@pppol2tp={0x18, 0x1, {0x0, <r2=>0xffffffffffffffff, {0x2, 0x0, @multicast2}}}, 0x80, &(0x7f0000003640)=[{&(0x7f0000003480)=""/1, 0x1}, {&(0x7f00000034c0)=""/232, 0xe8}, {&(0x7f00000035c0)=""/112, 0x70}], 0x3, &(0x7f0000003680)=""/159, 0x9f}, 0x944}, {{0x0, 0x0, &(0x7f0000004ac0)=[{&(0x7f0000003740)=""/152, 0x98}, {&(0x7f0000003800)=""/190, 0xbe}, {&(0x7f00000038c0)=""/34, 0x22}, {&(0x7f0000003900)=""/32, 0x20}, {&(0x7f0000003940)=""/207, 0xcf}, {&(0x7f0000003a40)=""/62, 0x3e}, {&(0x7f0000003a80)=""/6, 0x6}, {&(0x7f0000003ac0)=""/4096, 0x1000}], 0x8, &(0x7f0000004b00)=""/3, 0x3}, 0x7}, {{&(0x7f0000004b40)=@pptp={0x18, 0x2, {0x0, @initdev}}, 0x80, &(0x7f0000004dc0)=[{&(0x7f0000004bc0)=""/78, 0x4e}, {&(0x7f0000004c40)=""/95, 0x5f}, {&(0x7f0000004cc0)=""/22, 0x16}, {&(0x7f0000004d00)=""/187, 0xbb}], 0x4, &(0x7f0000004e00)=""/184, 0xb8}, 0x1}], 0x7, 0x10000, &(0x7f0000004fc0))
getsockopt$inet_tcp_buf(r2, 0x6, 0xb, &(0x7f0000005000)=""/198, &(0x7f0000005100)=0xc6)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  375.478706][T14345] binder_alloc: binder_alloc_mmap_handler: 14253 20001000-20004000 already mapped failed -16
15:42:28 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xb8030000, 0x0)

[  375.582896][T14445] binder_alloc: 14253: binder_alloc_buf, no vma
15:42:28 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x40, 0x0)
setsockopt$inet6_MCAST_JOIN_GROUP(r2, 0x29, 0x2a, &(0x7f00000002c0)={0x9, {{0xa, 0x4e24, 0x5, @mcast2, 0x980f}}}, 0x84)
linkat(r2, &(0x7f0000000040)='./file0\x00', r2, &(0x7f0000000080)='./file0\x00', 0x400)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:28 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40106309, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:28 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x8, 0x10000)
bind$isdn_base(r0, &(0x7f0000000080)={0x22, 0x201736c4, 0x8, 0x4, 0x4}, 0x6)

[  375.624357][    T5] binder: release 14253:14265 transaction 1628 out, still active
[  375.645007][    T5] binder: unexpected work type, 4, not freed
[  375.651040][    T5] binder: undelivered TRANSACTION_COMPLETE
15:42:28 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xc0ed0000, 0x0)

15:42:28 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x18, 0x0, 0x0})

[  375.727210][T14463] binder: BINDER_SET_CONTEXT_MGR already set
[  375.739407][    T5] binder: undelivered TRANSACTION_COMPLETE
[  375.775194][T14463] binder: 14462:14463 ioctl 40046207 0 returned -16
[  375.786658][    T5] binder: send failed reply for transaction 1628, target dead
[  375.816415][    T5] binder: undelivered transaction 1631, process died.
[  375.836643][T14474] binder: 14473:14474 ioctl c0306201 200002c0 returned -14
15:42:28 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
eventfd(0x4)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  375.891183][T14572] binder_alloc: binder_alloc_mmap_handler: 14473 20001000-20004000 already mapped failed -16
[  375.958423][T14474] binder: BINDER_SET_CONTEXT_MGR already set
[  375.998434][T14474] binder: 14473:14474 ioctl 40046207 0 returned -16
[  375.998524][T14675] binder_alloc: 14473: binder_alloc_buf, no vma
15:42:28 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406300, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:29 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xca000000, 0x0)

[  376.043626][    T5] binder: release 14473:14474 transaction 1634 out, still active
[  376.051538][    T5] binder: unexpected work type, 4, not freed
[  376.072199][    T5] binder: undelivered TRANSACTION_COMPLETE
15:42:29 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x1800, 0x0, 0x0})

15:42:29 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cachefiles\x00', 0x48900, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000080)={0xd, 0x4, 0xff, 0x2, 0x0, r0, 0x81}, 0x2c)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB='[d::]:?llb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
ioctl$LOOP_SET_DIRECT_IO(r0, 0x4c08, 0xf6)
setsockopt$IP_VS_SO_SET_FLUSH(r0, 0x0, 0x485, 0x0, 0x0)

[  376.136243][    T5] binder: undelivered TRANSACTION_COMPLETE
[  376.147482][T14686] binder: BINDER_SET_CONTEXT_MGR already set
[  376.212704][T14686] binder: 14685:14686 ioctl 40046207 0 returned -16
[  376.212806][    T5] binder: send failed reply for transaction 1634, target dead
15:42:29 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xd0030000, 0x0)

[  376.255663][T14698] binder: 14697:14698 ioctl c0306201 200002c0 returned -14
[  376.268647][    T5] binder: undelivered transaction 1637, process died.
[  376.283258][T14723] binder_alloc: binder_alloc_mmap_handler: 14697 20001000-20004000 already mapped failed -16
15:42:29 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f00000003c0)='/dev/sequencer2\x00', 0x8000, 0x0)
r3 = openat$hwrng(0xffffffffffffff9c, &(0x7f0000000400)='/dev/hwrng\x00', 0x0, 0x0)
connect$l2tp(r2, &(0x7f0000000440)=@pppol2tpin6={0x18, 0x1, {0x0, r3, 0x3, 0x2, 0x1, 0x0, {0xa, 0x4e22, 0x5, @mcast1, 0x2}}}, 0x32)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000000))
getsockopt$XDP_MMAP_OFFSETS(r4, 0x11b, 0x1, &(0x7f0000000300), &(0x7f0000000380)=0x60)
getsockopt$IP_VS_SO_GET_TIMEOUT(r4, 0x0, 0x486, &(0x7f0000000140), &(0x7f00000002c0)=0xc)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)
setsockopt$RDS_FREE_MR(r4, 0x114, 0x3, &(0x7f0000000080)={{0x80, 0x3}, 0x10}, 0x10)

[  376.311495][T14733] libceph: parse_ips bad ip '[d::]:?llb'
[  376.323429][T14698] binder: BINDER_SET_CONTEXT_MGR already set
15:42:29 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x18002, 0x0)
ioctl$KVM_GET_DIRTY_LOG(r1, 0x4010ae42, &(0x7f0000000040)={0x10003, 0x0, &(0x7f0000ffb000/0x4000)=nil})
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer\x00', 0x284000, 0x0)

[  376.360995][T14698] binder: 14697:14698 ioctl 40046207 0 returned -16
[  376.382676][    T5] binder: release 14697:14698 transaction 1640 out, still active
[  376.400243][T14723] binder_alloc: 14697: binder_alloc_buf, no vma
15:42:29 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xea030000, 0x0)

15:42:29 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  376.408813][    T5] binder: unexpected work type, 4, not freed
[  376.429569][    T5] binder: undelivered TRANSACTION_COMPLETE
[  376.463903][    T5] binder: undelivered TRANSACTION_COMPLETE
15:42:29 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vcs\x00', 0x202400, 0x0)
socket$nl_xfrm(0x10, 0x3, 0x6)
getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f00000002c0)={0x0, @remote, @loopback}, &(0x7f0000000300)=0xc)
ioctl$DRM_IOCTL_MODE_SETCRTC(r0, 0xc06864a2, &(0x7f0000000240)={&(0x7f00000000c0)=[0x400, 0x4, 0x4, 0x80], 0x4, 0x88, 0x5, 0x6, 0x4, 0x0, {0x200, 0xea, 0x6, 0x0, 0xfffffffffffffc00, 0x800, 0x1, 0x8, 0x9, 0x3ff, 0x2, 0x3f, 0x5, 0x40, "0b0b179f453e37a02c630c8abdf39a2e4c183a563d278273e9004f6df0d5ac21"}})
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000001840)={'vcan0\x00', <r1=>0x0})
getsockopt$inet6_mtu(r0, 0x29, 0x17, &(0x7f00000003c0), &(0x7f0000000400)=0x4)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000380)={'team_slave_0\x00', <r2=>r1})
sendmsg$nl_route_sched(r0, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x400000}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)=@newtfilter={0x34, 0x2c, 0x403, 0x70bd2d, 0x25dfdbfc, {0x0, r2, {0xb, 0x1a}, {0xffff}, {0xf, 0xe}}, [@TCA_RATE={0x8, 0x5, {0x8001, 0x3}}, @TCA_CHAIN={0x8, 0xb, 0x4}]}, 0x34}, 0x1, 0x0, 0x0, 0x800}, 0x40014)

15:42:29 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x1000000, 0x0, 0x0})

[  376.515297][    T5] binder: send failed reply for transaction 1640, target dead
[  376.546543][T14915] binder: 14914:14915 got reply transaction with bad transaction stack, transaction 1646 has target 14914:0
15:42:29 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf6030000, 0x0)

[  376.566866][    T5] binder: undelivered transaction 1643, process died.
15:42:29 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
getsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f00000002c0)={{{@in, @in, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r4=>0x0}}, {{@in6=@initdev}, 0x0, @in6=@mcast2}}, &(0x7f0000000000)=0xe8)
getresgid(&(0x7f0000000080), &(0x7f0000000140)=<r5=>0x0, &(0x7f00000003c0))
getsockopt$inet6_IPV6_IPSEC_POLICY(r2, 0x29, 0x22, &(0x7f0000000400)={{{@in6=@ipv4={[], [], @local}, @in6=@dev, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r6=>0x0}}, {{@in6=@initdev}, 0x0, @in6=@remote}}, &(0x7f0000000500)=0xe8)
write$P9_RSTATu(r2, &(0x7f0000000540)={0x6d, 0x7d, 0x1, {{0x0, 0x4f, 0x537c, 0x3, {0x20, 0x3, 0x8}, 0x40000000, 0x3, 0x0, 0x200, 0x4, 'eth1', 0x9, '/dev/kvm\x00', 0x6, 'lobdev', 0x9, '/dev/kvm\x00'}, 0x9, '/dev/kvm\x00', r4, r5, r6}}, 0x6d)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  376.645852][T14928] binder: BINDER_SET_CONTEXT_MGR already set
[  376.696954][T14928] binder: 14919:14928 ioctl 40046207 0 returned -16
[  376.735302][T15009] binder: 14919:15009 ioctl c0306201 200002c0 returned -14
15:42:29 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x10000, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:29 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf6ffffff, 0x0)

[  376.754139][T15009] binder_alloc: binder_alloc_mmap_handler: 14919 20001000-20004000 already mapped failed -16
15:42:29 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  376.805981][   T17] binder: send failed reply for transaction 1646 to 14914:14915
[  376.832798][T15139] binder_alloc: 14919: binder_alloc_buf, no vma
15:42:29 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
r0 = syz_open_dev$mice(&(0x7f0000000000)='/dev/input/mice\x00', 0x0, 0x80181)
write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x18, 0xfa00, {0x3, &(0x7f00000000c0)={<r1=>0xffffffffffffffff}, 0x113}}, 0x20)
write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f0000000180)={0xe, 0x18, 0xfa00, @id_resuseaddr={&(0x7f0000000080)=0x1, r1, 0x0, 0x1, 0x4}}, 0x20)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  376.856626][   T17] binder: send failed reply for transaction 1648 to 14919:15009
[  376.878315][T15143] binder: BINDER_SET_CONTEXT_MGR already set
[  376.894339][   T17] binder: undelivered transaction 1651, process died.
15:42:29 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf9fdffff, 0x0)

[  376.919005][T15143] binder: 15141:15143 ioctl 40046207 0 returned -16
15:42:29 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x2000000, 0x0, 0x0})

15:42:30 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  377.083170][T15233] binder: 15231:15233 ioctl c0306201 200002c0 returned -14
[  377.118230][T15257] binder_alloc: binder_alloc_mmap_handler: 15231 20001000-20004000 already mapped failed -16
15:42:30 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfeffffff, 0x0)

15:42:30 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x4048637e, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:30 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffff000, 0x0)

[  377.194232][T15233] binder: BINDER_SET_CONTEXT_MGR already set
[  377.219701][T15233] binder: 15231:15233 ioctl 40046207 0 returned -16
[  377.220168][T15302] binder_alloc: 15231: binder_alloc_buf, no vma
[  377.268399][    T5] binder: send failed reply for transaction 1655 to 15231:15233
[  377.291904][T15343] binder: 15338:15343 unknown command 1078485886
[  377.300826][    T5] binder: undelivered transaction 1658, process died.
15:42:30 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffdf9, 0x0)

[  377.327307][T15343] binder: 15338:15343 ioctl c0306201 200002c0 returned -22
15:42:30 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x18000000, 0x0, 0x0})

15:42:30 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dlm-monitor\x00', 0x440002, 0x0)
openat$cgroup_ro(r1, &(0x7f0000000040)='cpuacct.stat\x00', 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r3 = openat$dlm_control(0xffffffffffffff9c, &(0x7f00000024c0)='/dev/dlm-control\x00', 0x400, 0x0)
getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffff9c, 0x84, 0xa, &(0x7f0000002500)={0x7, 0x5, 0xa, 0x3f, 0x7, 0x20, 0x0, 0x1ff, <r4=>0x0}, &(0x7f0000002540)=0x20)
setsockopt$inet_sctp6_SCTP_MAX_BURST(r3, 0x84, 0x14, &(0x7f0000002580)=@assoc_value={r4, 0x80000000}, 0x8)
r5 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$sock_inet_SIOCDARP(r5, 0x8953, &(0x7f0000000340)={{0x2, 0x4e24, @initdev={0xac, 0x1e, 0x0, 0x0}}, {0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}, 0x0, {0x2, 0x5, @loopback}, 'veth1\x00'})
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT(r2, 0x40505330, &(0x7f00000002c0)={{0x0, 0xaf}, {0x0, 0x9}, 0x6, 0x7, 0xf983})
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r6, 0xae80, 0x0)

15:42:30 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="040000005d3a2f6c6c623a00"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:30 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = socket$xdp(0x2c, 0x3, 0x0)
setsockopt$XDP_TX_RING(r2, 0x11b, 0x3, &(0x7f0000000080)=0x10000, 0x4)
getsockopt$XDP_MMAP_OFFSETS(r2, 0x11b, 0x7, &(0x7f0000001300), &(0x7f0000000100)=0x60)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$TUNGETFEATURES(r3, 0x800454cf, &(0x7f0000000000))
write$FUSE_POLL(r3, &(0x7f0000000140)={0x18, 0x0, 0x3, {0x3}}, 0x18)
ioctl$KVM_RUN(r4, 0xae80, 0x0)

15:42:30 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffff7f, 0x0)

15:42:30 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  377.511784][T15467] ceph: device name is missing path (no : separator in )
[  377.536363][    T5] binder: send failed reply for transaction 1661 to 15338:15343
15:42:30 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffff8c, 0x0)

[  377.573918][T15469] binder: 15466:15469 ioctl c0306201 200002c0 returned -14
[  377.609432][T15504] binder_alloc: binder_alloc_mmap_handler: 15466 20001000-20004000 already mapped failed -16
[  377.643143][T15520] binder: BINDER_SET_CONTEXT_MGR already set
[  377.691372][T15520] binder: 15516:15520 ioctl 40046207 0 returned -16
[  377.698498][T15469] binder: BINDER_SET_CONTEXT_MGR already set
15:42:30 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffff6, 0x0)

[  377.759746][T15469] binder: 15466:15469 ioctl 40046207 0 returned -16
[  377.759914][T15584] binder_alloc: 15466: binder_alloc_buf, no vma
[  377.773118][    T5] binder: send failed reply for transaction 1663 to 15466:15469
[  377.781366][    T5] binder: undelivered transaction 1666, process died.
15:42:30 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
r0 = openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x400000, 0x0)
ioctl$KVM_PPC_ALLOCATE_HTAB(r0, 0xc004aea7, &(0x7f0000000080)=0x1)
ioctl$NBD_SET_SIZE(r0, 0xab02, 0x3)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:30 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:30 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffffe, 0x0)

[  377.969534][T15711] binder: 15710:15711 got transaction to invalid handle
15:42:30 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0xfdfdffff, 0x0, 0x0})

15:42:31 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
accept4$packet(r2, 0x0, &(0x7f0000000000), 0x800)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
syz_open_dev$mouse(&(0x7f0000000080)='/dev/input/mouse#\x00', 0x0, 0x501002)

15:42:31 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x4404, 0x208101)
ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(0xffffffffffffff9c, 0xc00c642d, &(0x7f0000000080)={<r2=>0x0, 0x80000, 0xffffffffffffff9c})
r3 = dup3(r0, r0, 0x80000)
ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r1, 0xc00c642e, &(0x7f0000000140)={r2, 0x80000, r3})
r4 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r5 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
openat$md(0xffffffffffffff9c, &(0x7f0000000040)='/dev/md0\x00', 0xc0, 0x0)
ioctl$ASHMEM_SET_SIZE(r5, 0x40047703, 0x40)
ioctl$KVM_RUN(r6, 0xae80, 0x0)
getcwd(&(0x7f00000002c0)=""/45, 0x2d)

15:42:31 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x498e499e52, 0x0)

[  378.172203][T15791] binder: BINDER_SET_CONTEXT_MGR already set
[  378.185494][T15791] binder: 15777:15791 ioctl 40046207 0 returned -16
15:42:31 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4990643722, 0x0)

[  378.223260][T15826] binder: 15777:15826 ioctl c0306201 200002c0 returned -14
15:42:31 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  378.310812][T15826] binder_alloc: binder_alloc_mmap_handler: 15777 20001000-20004000 already mapped failed -16
[  378.324185][    T5] binder: send failed reply for transaction 1669 to 15710:15711
[  378.343399][    T5] binder: send failed reply for transaction 1671 to 15777:15826
15:42:31 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000280)=@sg0='/dev/sg0\x00', &(0x7f00000001c0)='./file0\x00', &(0x7f0000000180)='ntfs\x00', 0x0, 0x0)
setxattr$security_smack_transmute(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='security.SMACK64TRANSMUTE\x00', &(0x7f00000000c0)='TRUE', 0x4, 0x1)

[  378.397501][T15939] binder_alloc: 15777: binder_alloc_buf, no vma
[  378.405277][T15938] binder: BINDER_SET_CONTEXT_MGR already set
[  378.421898][T15938] binder: 15937:15938 ioctl 40046207 0 returned -16
[  378.430511][    T5] binder: undelivered transaction 1674, process died.
[  378.445986][T15938] binder_alloc: 15777: binder_alloc_buf, no vma
15:42:31 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xedc000000000, 0x0)

15:42:31 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0xfffffdfd, 0x0, 0x0})

[  378.533276][T15938] binder_transaction: 9 callbacks suppressed
[  378.533295][T15938] binder: 15937:15938 transaction failed 29189/-3, size 0-0 line 3147
[  378.592149][T15989] binder: 15988:15989 ioctl c0306201 200002c0 returned -14
15:42:31 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x4040800, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB='vd:N]:/llb:\x00'], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  378.666899][T16151] binder_alloc: binder_alloc_mmap_handler: 15988 20001000-20004000 already mapped failed -16
15:42:31 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:31 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$IOC_PR_RESERVE(r2, 0x401070c9, &(0x7f0000000000)={0x3})
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  378.737003][T15989] binder: BINDER_SET_CONTEXT_MGR already set
[  378.776442][T16161] libceph: resolve 'vd' (ret=-3): failed
[  378.786103][T15989] binder: 15988:15989 ioctl 40046207 0 returned -16
[  378.788691][ T7756] binder_release_work: 18 callbacks suppressed
[  378.788699][ T7756] binder: undelivered TRANSACTION_ERROR: 29189
[  378.806972][T16161] libceph: parse_ips bad ip 'vd:N]'
[  378.825113][T16162] binder_alloc: 15988: binder_alloc_buf, no vma
15:42:31 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x1000000000000, 0x0)

[  378.835639][T16166] binder: BINDER_SET_CONTEXT_MGR already set
[  378.859806][T16162] binder: 15988:16162 transaction failed 29189/-3, size 24-8 line 3147
15:42:31 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$SG_GET_NUM_WAITING(r2, 0x227d, &(0x7f0000000000))
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  378.915579][T16166] binder: 16164:16166 ioctl 40046207 0 returned -16
[  378.926199][    T5] binder: release 15988:15989 transaction 1679 out, still active
[  378.934940][T16151] binder_alloc: 15988: binder_alloc_buf, no vma
[  378.942920][    T5] binder: unexpected work type, 4, not freed
[  378.954569][T16151] binder: 15988:16151 transaction failed 29189/-3, size 24-0 line 3147
[  378.963793][    T5] binder: send failed reply for transaction 1679, target dead
15:42:31 executing program 1:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
clone(0x2102001ff9, 0x0, 0xfffffffffffffffe, 0x0, 0xffffffffffffffff)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\x00', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = syz_open_dev$mouse(&(0x7f00000002c0)='/dev/input/mouse#\x00', 0xb, 0x18000)
r1 = syz_genetlink_get_family_id$tipc(&(0x7f00000000c0)='TIPC\x00')
sendmsg$TIPC_CMD_GET_BEARER_NAMES(r0, &(0x7f00000001c0)={&(0x7f0000000080), 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x1c, r1, 0x100, 0x70bd2c, 0x25dfdbfc, {}, ["", ""]}, 0xfffffffffffffe5a}, 0x1, 0x0, 0x0, 0x40}, 0x20000000)

[  379.006816][    T5] binder: undelivered transaction 1682, process died.
[  379.017755][T16151] binder: 15988:16151 ioctl c0306201 200002c0 returned -14
15:42:32 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:32 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
socket$caif_stream(0x25, 0x1, 0x5)
r2 = dup2(r1, r0)
ioctl$DRM_IOCTL_MODE_GETCRTC(r2, 0xc06864a1, &(0x7f00000002c0)={&(0x7f0000000040)=[0x9], 0x1, 0x5, 0x5, 0x5, 0x0, 0x80000001, {0xfffffffffffffffb, 0x3, 0x7ff, 0x100000000, 0x0, 0x3, 0x1, 0x75c, 0x1, 0x101, 0xdb, 0x401, 0x1, 0x7fff, "5b9c216886672e95863955044e2e1ad07939500d9b5553c7472a94f1853495d5"}})
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
ioctl$DRM_IOCTL_GET_CAP(r2, 0xc010640c, &(0x7f0000000080)={0x7ff, 0xc8})
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$PPPIOCGDEBUG(r0, 0x80047441, &(0x7f0000000000))
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:32 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x100000000000000, 0x0, 0x0})

[  379.056531][    T5] binder: undelivered TRANSACTION_ERROR: 29189
[  379.079502][    T5] binder: undelivered TRANSACTION_ERROR: 29189
15:42:32 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2000000000000, 0x0)

[  379.229128][T16406] binder: 16401:16406 ioctl c0306201 200002c0 returned -14
[  379.271357][T16410] binder: BINDER_SET_CONTEXT_MGR already set
[  379.301945][T16410] binder: 16400:16410 ioctl 40046207 0 returned -16
[  379.308935][T16406] binder: BINDER_SET_CONTEXT_MGR already set
15:42:32 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, <r5=>0x0})
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})
ioprio_set$uid(0x3, r5, 0xffffffff)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  379.331503][T16406] binder: 16401:16406 ioctl 40046207 0 returned -16
[  379.341243][T16417] binder: 16401:16417 transaction failed 29189/-3, size 24-8 line 3147
[  379.341251][    T5] binder: send failed reply for transaction 1686 to 16401:16406
[  379.341271][    T5] binder: undelivered transaction 1689, process died.
[  379.370983][    T5] binder_release_work: 13 callbacks suppressed
[  379.370988][    T5] binder: undelivered TRANSACTION_COMPLETE
[  379.391847][    T5] binder: undelivered TRANSACTION_COMPLETE
[  379.402668][    T5] binder: undelivered TRANSACTION_ERROR: 29189
[  379.409215][    T5] binder: undelivered TRANSACTION_ERROR: 29189
15:42:32 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x200000000000000, 0x0, 0x0})

15:42:32 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:32 executing program 1:

15:42:32 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  379.524651][T16599] netlink: 'syz-executor.5': attribute type 1 has an invalid length.
15:42:32 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf0ffffffffffff, 0x0)

[  379.571150][T16610] binder: 16609:16610 ioctl c0306201 200002c0 returned -14
[  379.605886][T16614] binder: BINDER_SET_CONTEXT_MGR already set
[  379.611969][T16614] binder: 16613:16614 ioctl 40046207 0 returned -16
15:42:32 executing program 1:
r0 = openat$vicodec1(0xffffffffffffff9c, &(0x7f0000000440)='/dev/video37\x00', 0x2, 0x0)
ioctl$VIDIOC_DQBUF(r0, 0xc0585611, &(0x7f00000004c0)={0x0, 0x9, 0x4, 0x0, {0x0, 0x2710}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "5bbc2297"}, 0x0, 0x0, @planes=0x0, 0x4})

[  379.650713][T16618] binder_alloc_mmap_handler: 1 callbacks suppressed
[  379.650732][T16618] binder_alloc: binder_alloc_mmap_handler: 16609 20001000-20004000 already mapped failed -16
15:42:32 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x100000000000000, 0x0)

[  379.725161][T16622] netlink: 'syz-executor.5': attribute type 1 has an invalid length.
[  379.742533][T16614] binder: 16613:16614 transaction failed 29189/-3, size 0-0 line 3147
15:42:32 executing program 1:
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080)={<r0=>0xffffffffffffffff})
ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x8000, 0x0, 0x0, 0x33, 0x3, 0x400003})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
syz_execute_func(&(0x7f00000000c0)="f3e1005e57c3c3e2c9b7d991734e424a2664f0ff064a460f3038082e67660f50e900004681e400000100440fe53136660fd9ee6c450754e50c420fae9972b571112d02")

15:42:32 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x806, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x1)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:32 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  379.913930][T16610] binder: 16609:16610 transaction failed 29189/-3, size 24-8 line 3147
[  379.934696][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
[  379.941432][T16739] binder: BINDER_SET_CONTEXT_MGR already set
[  379.952511][T16739] binder: 16609:16739 ioctl 40046207 0 returned -16
15:42:32 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000040)={<r0=>0xffffffffffffffff})
ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0xfffffffffffffff8, 0x0, 0x9, 0x0, 0x0, 0x0, 0x3f})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030082e67660f50e900004681e400000100440fe531feabc4aba39d450754ddea420fae9972b571112d02")

[  379.999256][T16610] binder: 16609:16610 ioctl c0306201 200002c0 returned -14
15:42:33 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x200000000000000, 0x0)

[  380.042877][T16745] binder: BINDER_SET_CONTEXT_MGR already set
[  380.072434][T16745] binder: 16743:16745 ioctl 40046207 0 returned -16
[  380.102524][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
[  380.108812][ T7807] binder: send failed reply for transaction 1692 to 16609:16610
[  380.115661][T16745] binder: 16743:16745 transaction failed 29189/-22, size 0-0 line 2994
15:42:33 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x1800000000000000, 0x0, 0x0})

[  380.152127][ T7807] binder: undelivered transaction 1695, process died.
[  380.184186][ T7807] binder: undelivered TRANSACTION_COMPLETE
[  380.209549][ T7807] binder: undelivered TRANSACTION_COMPLETE
[  380.217020][T16797] binder: 16785:16797 ioctl c0306201 200002c0 returned -14
[  380.228289][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
[  380.241463][T16821] binder_alloc: binder_alloc_mmap_handler: 16785 20001000-20004000 already mapped failed -16
15:42:33 executing program 1:
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000040)={<r0=>0xffffffffffffffff})
ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x6, 0x0, 0xd, 0x0, 0x7, 0x3, 0x20000002})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030082e67660f50e900004681e400000100440fe531feabc4aba39d450754ddea420fae9972b571112d02")

15:42:33 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x3, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  380.261107][T16821] binder: 16785:16821 transaction failed 29189/-3, size 24-8 line 3147
[  380.262864][T16797] binder: BINDER_SET_CONTEXT_MGR already set
[  380.300602][T16797] binder: 16785:16797 ioctl 40046207 0 returned -16
[  380.300794][ T7807] binder: release 16785:16797 transaction 1700 out, still active
[  380.307661][T16821] binder: 16785:16821 ioctl c0306201 200002c0 returned -14
15:42:33 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x8000, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)
socketpair$tipc(0x1e, 0x7, 0x0, &(0x7f0000000080))
set_tid_address(&(0x7f0000000000))

15:42:33 executing program 1:
socketpair$unix(0x1, 0x800000000000001, 0x0, &(0x7f0000000040)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
ioctl$TCSETSF(0xffffffffffffffff, 0x5404, &(0x7f0000000000)={0x0, 0x0, 0x7fff, 0x0, 0x0, 0xffffffffffffdff9, 0xffffffffffffffff, 0x0, 0x7})
r1 = dup(r0)
ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200)
syz_execute_func(&(0x7f00000000c0)="c4827d5a6e0d5e57c3c3b7d95a91914e424a2664f0ff065b460f343030082e67660f50e900004681e400000100440fe531feabc4aba39d450754ddea420fae9972b571112d02")

15:42:33 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x48, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  380.356898][ T7807] binder: unexpected work type, 4, not freed
[  380.376153][ T7807] binder: undelivered TRANSACTION_COMPLETE
[  380.395462][ T7807] binder: undelivered TRANSACTION_COMPLETE
[  380.433624][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
[  380.451013][T16872] binder: BINDER_SET_CONTEXT_MGR already set
15:42:33 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x300000000000000, 0x0)

15:42:33 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0xfdfdffff00000000, 0x0, 0x0})

[  380.514248][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
[  380.524136][T16872] binder: 16871:16872 ioctl 40046207 0 returned -16
[  380.544373][ T7807] binder: send failed reply for transaction 1700, target dead
15:42:33 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, <r5=>0x0})
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})
ioprio_set$uid(0x3, r5, 0xffffffff)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  380.613209][T16894] binder: 16882:16894 ioctl c0306201 200002c0 returned -14
[  380.661678][T16967] binder_alloc: binder_alloc_mmap_handler: 16882 20001000-20004000 already mapped failed -16
15:42:33 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  380.743068][T16967] binder_alloc_new_buf_locked: 4 callbacks suppressed
[  380.743078][T16967] binder_alloc: 16882: binder_alloc_buf, no vma
[  380.777875][T16989] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  380.801355][T16991] binder: BINDER_SET_CONTEXT_MGR already set
[  380.816883][T16967] binder: 16882:16967 transaction failed 29189/-3, size 24-8 line 3147
15:42:33 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x400000000000000, 0x0)

15:42:33 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  380.870114][T16994] binder: BINDER_SET_CONTEXT_MGR already set
[  380.886077][T16991] binder: 16882:16991 ioctl 40046207 0 returned -16
[  380.894955][T16994] binder: 16993:16994 ioctl 40046207 0 returned -16
[  380.895180][ T7756] binder: release 16882:16894 transaction 1706 out, still active
15:42:33 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, <r5=>0x0})
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})
ioprio_set$uid(0x3, r5, 0xffffffff)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:33 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
getsockopt$TIPC_GROUP_JOIN(r2, 0x10f, 0x87, &(0x7f0000000080), &(0x7f0000000140)=0x4)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
getsockopt$inet_sctp_SCTP_CONTEXT(r2, 0x84, 0x11, &(0x7f0000000000)={<r4=>0x0, 0x8c}, &(0x7f0000000340)=0x8)
getsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r1, 0x84, 0x9, &(0x7f0000000380)={<r5=>0x0, @in={{0x2, 0x4e22, @initdev={0xac, 0x1e, 0x0, 0x0}}}, 0x8, 0x8001, 0x65, 0x2, 0xa}, &(0x7f0000000440)=0x98)
getsockopt$inet_sctp6_SCTP_STATUS(r2, 0x84, 0xe, &(0x7f0000000480)={r4, 0x3, 0x3, 0x2253, 0x4, 0x8, 0x47, 0x8, {r5, @in6={{0xa, 0x4e20, 0xff, @mcast1, 0x8}}, 0x1, 0x80, 0x9, 0x7, 0x27}}, &(0x7f0000000540)=0xb0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_POOL(r2, 0x4058534c, &(0x7f00000002c0)={0xb4d, 0x101, 0x80000001, 0x9bb8, 0x9, 0xffffffffffffff00})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  380.936488][ T7756] binder: unexpected work type, 4, not freed
[  380.969792][ T7756] binder: undelivered TRANSACTION_COMPLETE
15:42:33 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x2, 0x0})

[  380.993723][ T7756] binder: undelivered TRANSACTION_COMPLETE
[  381.022469][ T7756] binder: send failed reply for transaction 1706, target dead
[  381.059189][ T7756] binder_cleanup_transaction: 1 callbacks suppressed
[  381.059197][ T7756] binder: undelivered transaction 1709, process died.
[  381.098594][T17109] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
15:42:34 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x60, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  381.105860][T17112] binder_alloc: binder_alloc_mmap_handler: 17110 20001000-20004000 already mapped failed -16
[  381.191965][T17117] binder: BINDER_SET_CONTEXT_MGR already set
15:42:34 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x500000000000000, 0x0)

15:42:34 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, <r5=>0x0})
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})
ioprio_set$uid(0x3, r5, 0xffffffff)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:34 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
r1 = syz_open_dev$audion(&(0x7f0000000140)='/dev/audio#\x00', 0x10001, 0x440002)
syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@text64={0x40, &(0x7f00000002c0)="0fc79bef3d0000f30f06c4e1a5e938660fda05040000000f5fb9e200000066baf80cb871284288ef66bafc0cecb805000000b9008800000f01d9de9fc9c50000476d2e410f0133"}], 0x155555555555580f, 0x1, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r3 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$KVM_GET_LAPIC(r1, 0x8400ae8e, &(0x7f0000000340)={"b420ff3ef8da34a3bf08e8cdcdb27bdd609408d322477cdceec111a61f068ac0db48248750a8656d2f40cb4b1e76d0efadd241d6dd903c44f0ebbf4667650c46d31a26ebbd827b7ee6be754b07ac3d43398b8d94a921c7a6b9dc2eee112f4a89e40c593adb215ce55299c27fb57a33dbd1ee61ef83962345670aecf1d1a077bffc1604078edfd32cac0997255c9d43d8aa97abf43885666816bcabef7fc4e0bf8b985b58b17102564eb69bf6bfddad3e55a722c86df0f9b4b2d893f334ce6dfc80dd473d553975f8ccda9ca1694ce7010d5f7111b89a4072f20b961d09cc5401885e291dfe2b5c92165f665d3966b312c5d706ea29f0eb9e1f6fa14112f5807b6cf9855a3fa0c5f3ef8c9558a96d12e3087b4bb9ac9776a3e0ba014047e4ae3c0490f41dab51e167c4aee91aebe72657faf902fd20daeb4069a4c10ac05d5a260170116350ea759ce39c00868331b6bd8bd9823ae6e1608ce28e06a9478e96c1f041e2aaaa5dc8d5e740d12e65a81b5129b4fd7f9c577ca09ca001623ef5b436043f0a23be6d32822341af1f75b779eb1fabfd1cadbf3679da223141b187c53a53268a8547b174ee4a34e5cbdedea59e60ee59baba19a49757de571627e394eebfd25f77aa9b4f8880cf93727da2b0f62105718aa26da2117a750e9549c5ab5ebe413dc9e670393ebbd98c5f83c2b3f61d87bdecbfa7fb00520f879952700dc8b7756731411f602266b8074f46880f2f2d221569cbe93f84c017bc92310f251e8dd30a51099854eb6474ebaeb47f3c616dcf1cf8a9f4c9b5ae45f7838ccf05ac37eea912e5fea44dcfe264a3c8a7cda8959bf129a1e142a32b66ee4bbb7ada6bdd8b187b141b841f95cb5bd45bc36bf655f91404f12639b696f8e6f135ef69f6994e3b4d2701c4ace068ec1fd80ee462094616e7b3fbb1236ee287178581fd4c064597ba9e293e1d38506e38edefcaffc5e0bb33a60f582ecb7822f6fb28688aabb92935dc16fef6301a5d0c905bbe65dc20c1e30ecde0b7926cc16412f461ac0d260d0069759a4e1a129b6b338c9e55f56935764f4dd94ffa66c90b2464823f8f79e06f5dc2fe4ab7ee054776ffaf626fda3dd4213bd312fbf9ab3c1db385900c745f6aa340e20b5f5cb925df1910337efee5c2eb490b47f7fa91f57a0881c5c097ec1a240686df1415a231e940e1ca843dd9d302d09dc4bc71237799482239a11af531ca66d5312fc0be97b9ce5ee3e62845c4128abf65d9970ba2b809ff6f874a16c056d38efe647f12d2d85b4664f09c4b5b2712422d50a273ac7c3235e6d21aaa66d2299895bf6e690b493b3e8926897f7e9cfeb620ab3ff9b6c684b0bb41a88b66916fe4406e9ca7889f167a923ea838c68c58b79b97317c9b014591c3a5e7438050405003f8428c361b8ce080580b42bbc0a0ef74714c534df2f9c7f1"})
r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
fcntl$dupfd(r5, 0x406, r3)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$RTC_RD_TIME(r4, 0x80247009, &(0x7f0000000040))
ioctl$KVM_RUN(r5, 0xae80, 0x0)

[  381.248356][T17117] binder: 17116:17117 ioctl 40046207 0 returned -16
[  381.248408][T17111] binder: BINDER_SET_CONTEXT_MGR already set
[  381.288511][T17111] binder: 17110:17111 ioctl 40046207 0 returned -16
[  381.337358][    T5] binder: release 17110:17111 transaction 1712 out, still active
[  381.345443][T17118] binder_alloc: 17110: binder_alloc_buf, no vma
[  381.355470][    T5] binder: unexpected work type, 4, not freed
[  381.381745][T17118] binder: 17110:17118 transaction failed 29189/-3, size 24-8 line 3147
[  381.390792][    T5] binder: undelivered TRANSACTION_COMPLETE
[  381.409972][    T5] binder: undelivered TRANSACTION_COMPLETE
15:42:34 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x18, 0x0})

[  381.424748][T17155] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  381.435599][    T5] binder: send failed reply for transaction 1712, target dead
[  381.461292][    T5] binder: undelivered transaction 1715, process died.
15:42:34 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x68, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:34 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x600000000000000, 0x0)

[  381.554643][T17269] binder_alloc: binder_alloc_mmap_handler: 17253 20001000-20004000 already mapped failed -16
15:42:34 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x48000402800, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0xc81, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_GUEST_DEBUG(r1, 0x4048ae9b, &(0x7f00000002c0)={0x1, 0x0, [0x5, 0xfff, 0x7, 0x80000000, 0x53, 0x80000001, 0x100000001, 0x4]})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  381.636143][T17268] binder: BINDER_SET_CONTEXT_MGR already set
[  381.657294][T17268] binder: 17253:17268 ioctl 40046207 0 returned -16
[  381.670219][T17344] binder: BINDER_SET_CONTEXT_MGR already set
15:42:34 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, <r5=>0x0})
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})
ioprio_set$uid(0x3, r5, 0xffffffff)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})

15:42:34 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r3 = dup(r2)
write$vhci(r3, &(0x7f00000002c0)=@HCI_SCODATA_PKT={0x3, "c7cb322587c620835a14b72eff9f4d7e83acc12007d9ee9caff5a1f609983feb6e1bf263f3037cc4c06900a9774f5bb684c01b09eb9549ec53efa6dfedebb6f17a4e5d677623d9c445c022f46b6d3fa342bfb41f883d435c029fa1de087e5299af305acc601210b5463b544adbca81c3444b4814ccc3fbadb9258623a61b153e04939a211e4bec06145479327b06b456ac7c8ccb257a38558edd78080c14e079f65fc851059703845154aae6a79a09bbcef77b0163bee6805912b719d9e6c5efc5e0e4febe28c4e085413cbdf88dd238b3968c80f2069ca7d72dd15354ad9b571e10b187f8896f861b9589e871ca8ef6b260b5502956c1a3f37e1d407bb8cca37e687771946d6e1dd9258f88e06d38a93217190c75822dea8f7e783a6d8e182dede16ebf6abec7f4e326f4505979737dc09056c675eefd2801dd1d863984c3bb212700fd154af103113209b7126be99bb3669869ae6d1d6ab9c0c8a3b92b052cbe67c53bfe9d52e68dece082a88cbc2c6cb101f7901d83332cdf8476837ce476f50fb11e46fc84b94573f3e4068d445a03161e5986f7e3f8a9cc5e79a10250ca1703501ac98afa4b276638bf6cfdb02bd51e720a7f553a7731ce87dfcc79b5b321a1201397232c4f8ca34ef6a3ff6f456d61df9a1f6967bd964bc6ed783a355d9e450570c060a3432f76434be59355d41daa69682290bbec221cda1bac16b2d17702a0055422994dd90f0bfdc1d3c30f5e3e0867e506b9c26acc1e577a5ded27265ada552ff9625f927a477b1c9a774cc776e3c71593cdcc220e31e2be8e48c56430021a1a587d6951dfabc72ccf02c2bdf86d535997b9e306fcbd80868627b167e68b1f2fcff1777f71eec74206aa89d87f87cd14ed3a01db2ee3e91be8782b475e14f4fb0ce2449d2d88fcc6df33683710199cb38fe8d7a9ec52e1cfbc7ebfa9607e957c5fbc29b8cbc1c9e7e1a6938acc22d9570de6fdeac944403dbf965f5c2fead21d8f0a80b2851862aa4e3dfaff6ab5ecd792d0e67512c6f512b83e74d90783fde60c707b12107e41f32d90e2da2a102aebf9b63120a77f4f5fc50d4c34e5fb6e0026150d40cd0282b5b6d181c9f30404c43aa3f3609129e4e487c288ef423dc78faae63e03a78917e44d95a1bdb2dbcd5ccba0398c63cd9c28b8f2955c79fddc51851ae961abf7a2ad4c85fa251a802c70dbfc71e76e202780f972812a346a02c0c8b4930995859eeebe305ac880f200a15db981f5f8ac5b565b34976a473ff28cdce11d27d07f3d628e6538bc9e248ae3f834e322bab3c2808a9b5490380d2ee7a592f90ab2a3654cb958322541c92c039aca76e9816f7bf5ec0d64fa50072176aaf473eacb4bedcdf9ec03115d277aefa0c3376037fc9cdf8ec53309b088fce85b4b165a69f6cd825713418af76009f5c9041948708a204444f7a7e52b45dab4e644de985966ec4d10f1e26aa6f07bc33a9d47dbc7adcffc6b69f322e9079b28f18a2f96ae88cce354cc30eacfdc5d30f7677d8aca95025119ab33e6c2239c2e000fd0b0cfafb32f7e8c0f40c5e21f6d0d713d053cc6a3b85f1efcfdc620d44e0929d680f36ce1fa4308d1c0339c50087a8a1f5f27ed00fbdbe556b4a3d622fa04bc4bfc3d73c8f6cda7fb0d4e0f54855aa8042b59b33dcbab53ca69bfb93fe3616185c3ce82e091834c584dfe8b67c6a08998f6c73329ec746bbf19b161f9fbf4114ae8d748b2819f76e6e4811d1c0eb0accfa2cdb467d64525346126522286d2e56064e834c37b13f7fc43224d3c8cd133f402ad4ac68a0116bda2098ddd69b1f2bce5093a7101ead7827307049de89be32fa7dd9aa4ace36f4d1254790d0acebb50cdf42a571e3a66695dd8d6de2ef8d8ff415ca39a8522c8a5376dcdc269a172798d080b892fe1fb855ef7ed0f95e43230772f1f0e793ccac0f53c33e245821bb10a08bf7c598ae0e8ef02cbe40ff2fc8968a9d75068bdcbf814fdfa2bfaeeb88ec7e93ed14d917ca3098f7032ee9a3d48afcada9c80e86303750b2a61daa0430aaf22fb608a50a579e4e9eb2a1adfd249f4e3f502da0405778db8004c2f7a33922e7c6521e81cce333f0cb10356b476074394339f0db537e12e2373a9f8f0ced49f210b17f53c7ee1d386b1351abbb5071b18abb54d16688835515134e11fcb3da6a5129780e2343bfe6b3590773427dc3d5584305e0f4ed1d27b287b47dc0fcdfbf3cb689d98e681ab39cf69aece051b87c99009e6e36d6f1ae6d4bf39790e3269382a26f19963539d9877c28c6dbbbbea18284fcd2789e1b1a4d1a2f5dac3cb8ade1b6c1f6a1f3467e5b7f71de2c9f779b8d8bbe8c37d03d1f69ef3d699219338f076baa535edb6c8f15a2b22626c43585ceb90eaf8c562652d2c9f32fd6bed185e7d091a0df8a3c8572b976f4bdd494776c6b4c0a94da33f05be3a3344b6533c60c5ef46e3d6c5aa290809c6ba9a93b91c7c61fcce7283d7162eac0713007245b65c2a6cb4b1452f3d78f903a1f4fa2d535fd6c24906e7a08cc594967b4078d59ef93d389a6fb587c0b817d56ab8c104d9cffe0ceba14dec5f653185887e0fb4860706cfd4f63353ef97372cf4abb29bb05aa1adc3cc48a7fd5b563b932e6a03bb8d0c1ddee0b192672261906c6e11e0b3ffb4280756055c2a75e1737f2aa1c4248a2a3aa4a9fce9b641b93dd90a6aa82482c7508eb83189e0f3c2c5d83396eba30ff6f54e2cdbdba7d5ccecae9962f0db8afbdd6edb252495b4c4cc95dcf94c64e61b71e67e235a533cc283652ee21d386df646e5ceeddffc3a701a8afde75106f21f3ea1913da60ae9cd2c30ce1efd13b12dac11dbeac3a55403f77f48617cf8edcaf279717b1348481c47455cb03c1f53dd12cfb727505a9e529946aca41d29b4e92768c2ebd18bb6e07469c5355ccaa1d3423e11fc6d870ce89209fce73d69fbb71bdb1ee1599e62bce5fb90c1a3e72514bc07b62456c7989028fbc84bd3a6c750de2ca49fce58327511f09b4a82af70db2385671602e39c03805ba915b6f34b7f965d43547192baed159b5b67f64954e83988767c78113289954ca6055e748c2060360f646b5849a290caf3ba607cadf6da63be46c1b0670e46fbe1039b1a027c9540c278bd9b5740318850c61275b4b343fbc830c82bf5329d4630b8c039a48c61661a35d397f35753e381779f29c1dae2bca5633444fec0674dc3060e73ce566399c8a4db1ed0776663c2a1be6888d8c2b7dcd7a93fe77b1ab233740fba296eeb0a72807e7bf20d9d768ff31ae3de7493740c02f08fc6ea242bbc019521bae7b61803bc257690d3a22c9db603bacaf8868d5ef5f7884a6acfe66ed578001192c96e4de561cec19c321cf6f59f337d8a9ae514442c94edc9f1526971e97beca975923aeed7bbfb716e381daeef86f1576a38aa30b4d6c33f7694ab0feefd4f24bd30bbca6b10495e7d41ff42b5b8163ae32c7fb762c6ae8435bf34f776ed89cad5bb1450aee311f77bb50cc2b69ace2b83eb461ea3337dcbbf5c2915ea9c9fee58ecf8b1e60ae5320ba7b1d8dd4201f41b1a98a315c659b82f867a6d1aaf1fb7290f97800a0911ea6e01b0b4e2996fabc53ebfec398fe29d0d425d0f05a583fabf41db362ae5026ae0489450ac7db16f53b9f8527db8ec0c989b5ee1fa0d031c1624b2b20dda5df21bf249b915464f67f99202c7617a7a8852eb8e19aff084bd71f709723d40a592af2b97aaf4ccde246180959d4000215ae3dec1131f531ca5f35cd0e5d0e2746132b687c53b8b4f2ee7878fa876e3a48d7b6b1f5a17ea3e0d32881904ce1792a93b06564ff714110c2c7354129204a0715a458dd2e97d09f46787cc4e0f953cbf74d10ab7a6e7c8ad4f3cd117344ae7915225cac3b501196588c740b7b15e2192661bc41f5f3f85d977cf6870c318937b7fb2ad0f4d6a63612b2b7f03fb5e68ea832341dbeac8a5fa1ae7565831711858e550044ccee51504ec87b67c8891d014255e087084b958c6f58772a36220189fb110015589510912d66deecbea701040f01912fe0abbe8e6d9bb87e6f70b9ac540dff9582ce49db201c136dee531f1e0ec158d4d8238c847744dcfb2b224bcbf44e2a0a6641d3ac92fd4011419320dbfd172d2dbf7fdc7b01aff5fc17596cc988cefb81ce6f6720546eb44b41f07b746b918222215e2e2c49a917e118c19816190a9dbcf4f09a6da7a7959b5e153a1d38e503b2c066708a3d97bccf8e2fc5e2e12de42f33393903e408a2aa8d22fbc56ca6fd3ba49a759839d32f7f48e749e9727112bb21cae644209339ad4800c7711bd7ef563c863a5468eabe2e1caaae29ea9b81ab8c873937bb52f38043c4269930df212bbe69d1099f032a65ab0055c8f704f73f30c24a8b1b3ee3858ae4753244762e9de988b46252d6e100391442940c76b872dad2a7311f5703c92ef08f509c7f193dcf19c9063f0c0ae706dc7cfff224a2493f2063388885084fa98b48f9c08d9334c23158d8d8327277ecd063fa55a2f53cce9fb1aded4ccb26c9cd289e78bd6a9ce63365d6c9849b2a52f9a8f09324832d21399a053bca403bc5132ac308d2754cf9b2e2e085b101799b502ae84b24f645b7f220cfb00aa609cdb565e91e599a37e7e82c278c6cf33a18c77bd37c2e9caeba487b48b0cb737c60b201ed99d7e6023c72ebb90b65e452cd9217ed1574b51dee1d1570cce5bf9f2760769576fb36fc19f9120e3b786466d4e24d4bcb9d8b5c7bdff02986030ea57b8d198c3ab346ed23391fe1f811c5efb7142c3d2d6f4723648fbec7250ad710c62fa2eac63094671f553248ef94cc96d040760db5acb3d61c106a07ceaa73d36013ddcf55d2bbaa94d4bcd290ffaf4e61ab15341ad092fbd9e2d2863fb71f312efdd4630bf6c2d5e88d1e1f3995cb2a9773698cac6852ed6b201e85e2dcf2797d7217b7c1ebf95b50adbe015a18b57b5e10ef2f0132dcdb9edd5f85edc5d2430ccc3c27ff6842b5c5847d326fb606bd633a8efeb819eb68a74f18809630a8453a843be7750e40ce0ce874c4e1d8bc8c4e08c82ae83784db02d6d09350a1013277f7af40c2293775746e97530879a54dbeed5357c35b1a7a35430cf606de22f199d0b7b9e2c8c92fe6e1683a0cb582578cc5668bfd4d6e78b8197d408521bf0de08e8538051cc583a99ed417b1d338e3bb64498d8647dc10fe489cedabd325006b06d9b6ecd6c8724fed19f90ae9001ed3b5ecd4c44d11ec7cef5fd81174753a22e6dd59aa397e8c748e45256d10c758456181d0e9b4699db89fce3d764d6eea1b26d405fbc5a6120724264d81edb40955fa6209dc6435288bb3e6369652585f06a71abfaca467af0cf7a637b8604dbf2360c691caf4a5114577326a7f3aecc07a8bd8f7bc12a6c1ac0d25d215216afb3ed384df0bf83b71f796edb08f320471af68cbd10d5d748e8df5b75654621aac92a2dfea65c87eef77a52e576dae8372f324d671b16d92f262616a89630a183bb905a433d88f678378622a28f58021e3099ea30063d35faaeba3d288b669747c90086baabcba3ab390cf1f910d616250543209c078cd43f60a0056c856104a09f2b8429544682344523016900c199e8babfd4217981b3a35158cc147e9d7543c4e4f140ac8f16ce30c33456a3034318d77e84c58117e2b78f2eae8adc232e43f3a913489a2bfabb222713be4f805c1242d33c9c7dc981ed9fd3896773645a0ca0a1bdb25804f903191ef7dd5eed7916cbcf7d3c2888dda9dae53966c004a55743"}, 0x1001)
r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
write$P9_ROPEN(r4, &(0x7f0000000000)={0x18, 0x71, 0x2, {{0xc2, 0x1, 0x4}, 0x80000000}}, 0x18)
r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
stat(&(0x7f0000000040)='./file0\x00', &(0x7f0000001300)={0x0, 0x0, 0x0, 0x0, <r6=>0x0})
ioprio_set$uid(0x3, r6, 0x81)
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)

[  381.719583][T17344] binder: 17342:17344 ioctl 40046207 0 returned -16
[  381.720617][T17347] binder_alloc: 17253: binder_alloc_buf, no vma
[  381.749781][    T5] binder: send failed reply for transaction 1718 to 17253:17268
15:42:34 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  381.783406][T17354] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  381.790154][    T5] binder: undelivered transaction 1721, process died.
15:42:34 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, <r4=>0x0})
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})
ioprio_set$uid(0x3, r4, 0xffffffff)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})

15:42:34 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x1800, 0x0})

15:42:34 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:34 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x700000000000000, 0x0)

[  381.995672][T17465] binder_alloc: binder_alloc_mmap_handler: 17460 20001000-20004000 already mapped failed -16
[  382.046414][T17461] binder: BINDER_SET_CONTEXT_MGR already set
[  382.072810][T17461] binder: 17460:17461 ioctl 40046207 0 returned -16
[  382.091025][T17473] binder_alloc: 17460: binder_alloc_buf, no vma
[  382.093308][T17503] binder: BINDER_SET_CONTEXT_MGR already set
[  382.139545][T17503] binder: 17479:17503 ioctl 40046207 0 returned -16
[  382.139572][ T2597] binder: release 17460:17461 transaction 1724 out, still active
[  382.154441][T17465] binder_alloc: 17460: binder_alloc_buf, no vma
[  382.177540][ T2597] binder: unexpected work type, 4, not freed
15:42:35 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x1000000, 0x0})

[  382.184564][ T2597] binder: send failed reply for transaction 1724, target dead
[  382.199820][ T2597] binder: undelivered transaction 1727, process died.
[  382.236250][T17620] binder_alloc: binder_alloc_mmap_handler: 17611 20001000-20004000 already mapped failed -16
[  382.246913][T17612] binder: BINDER_SET_CONTEXT_MGR already set
[  382.262971][T17612] binder: 17611:17612 ioctl 40046207 0 returned -16
[  382.270103][T17620] binder_alloc: 17611: binder_alloc_buf, no vma
15:42:35 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = getgid()
fchownat(r2, &(0x7f0000000000)='./file0\x00', 0x0, r3, 0x800000000)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
munlock(&(0x7f0000ffb000/0x4000)=nil, 0x4000)
ioctl$KVM_RUN(r4, 0xae80, 0x0)

15:42:35 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x800000000000000, 0x0)

[  382.290521][   T12] binder: release 17611:17612 transaction 1731 out, still active
[  382.315818][   T12] binder: unexpected work type, 4, not freed
15:42:35 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x2000000, 0x0})

[  382.335155][   T12] binder: send failed reply for transaction 1731, target dead
15:42:35 executing program 0:
r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91)
ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={<r5=>0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100)
getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10)
r6 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r7 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
r8 = creat(&(0x7f0000000200)='./file0\x00', 0x40)
setsockopt$inet6_udp_encap(r8, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r7, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000})
r9 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0)
ioctl$KVM_HAS_DEVICE_ATTR(r8, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1})
openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0)
ioctl$KVM_RUN(r7, 0xae80, 0x0)
ioctl$KVM_SET_XCRS(r8, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]})
ioctl$EVIOCGBITSW(r2, 0x80404525, &(0x7f00000004c0)=""/162)
ioctl$CAPI_GET_MANUFACTURER(r6, 0xc0044306, &(0x7f0000000480)=0xac)
flistxattr(r9, &(0x7f0000000640)=""/46, 0x2e)

15:42:35 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x74, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  382.375976][   T12] binder: undelivered transaction 1734, process died.
15:42:35 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, <r4=>0x0})
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})
ioprio_set$uid(0x3, r4, 0xffffffff)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})

[  382.461379][T17698] binder_alloc: binder_alloc_mmap_handler: 17690 20001000-20004000 already mapped failed -16
[  382.503443][T17695] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.0'.
[  382.509173][T17691] binder: BINDER_SET_CONTEXT_MGR already set
[  382.525658][T17701] binder: BINDER_SET_CONTEXT_MGR already set
[  382.531897][T17691] binder: 17690:17691 ioctl 40046207 0 returned -16
[  382.532141][T17699] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  382.538865][T17701] binder: 17700:17701 ioctl 40046207 0 returned -16
[  382.539466][T17701] binder_alloc: 17690: binder_alloc_buf, no vma
[  382.568183][ T7756] binder: release 17690:17691 transaction 1737 out, still active
[  382.580114][ T7756] binder: unexpected work type, 4, not freed
[  382.595602][ T7756] binder: send failed reply for transaction 1737, target dead
[  382.611180][ T7756] binder: undelivered transaction 1740, process died.
[  382.619832][T17702] binder_alloc: 17690: binder_alloc_buf, no vma
[  382.631821][T17698] binder_alloc: 17690: binder_alloc_buf, no vma
[  382.638754][T17695] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.0'.
15:42:35 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xa00000000000000, 0x0)

15:42:35 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x18000000, 0x0})

15:42:35 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:35 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ppp\x00', 0x0, 0x0)
syz_genetlink_get_family_id$SEG6(&(0x7f0000000140)='SEG6\x00')
ioctl$PPPIOCATTACH(r2, 0x4004743d, &(0x7f0000000080)=0x1)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)
ioctl$TIOCMBIS(r3, 0x5416, &(0x7f00000002c0))

15:42:35 executing program 0:
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x80000, 0x0)
r0 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-monitor\x00', 0x100, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r0, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = creat(&(0x7f0000000080)='./file0\x00', 0x10)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x8000, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
ioctl$KVM_RUN(r4, 0xae80, 0x0)

15:42:35 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, <r4=>0x0})
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})
ioprio_set$uid(0x3, r4, 0xffffffff)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})

[  382.866907][T17919] binder: BINDER_SET_CONTEXT_MGR already set
[  382.915014][T17919] binder: 17918:17919 ioctl 40046207 0 returned -16
[  382.922684][T17929] binder_alloc: binder_alloc_mmap_handler: 17915 20001000-20004000 already mapped failed -16
[  382.983805][T17949] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
15:42:36 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2000000000000000, 0x0)

[  383.029022][T17917] binder_alloc: 17915: binder_alloc_buf, no vma
[  383.050349][T17991] binder: BINDER_SET_CONTEXT_MGR already set
[  383.084754][ T7807] binder: release 17915:17917 transaction 1745 out, still active
[  383.095410][T17991] binder: 17915:17991 ioctl 40046207 0 returned -16
[  383.105602][ T7807] binder: unexpected work type, 4, not freed
15:42:36 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x300, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:36 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, <r4=>0x0})
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})
ioprio_set$uid(0x3, r4, 0xffffffff)

[  383.150846][ T7807] binder: send failed reply for transaction 1745, target dead
[  383.185406][ T7807] binder: undelivered transaction 1748, process died.
15:42:36 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0xfdfdffff, 0x0})

[  383.268003][T18043] binder: 18039:18043 got transaction to invalid handle
[  383.405621][T18100] binder: BINDER_SET_CONTEXT_MGR already set
[  383.430989][T18079] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  383.448061][T18100] binder: 18082:18100 ioctl 40046207 0 returned -16
15:42:36 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
fcntl$getownex(r2, 0x10, &(0x7f0000000000))
ioctl$SNDRV_SEQ_IOCTL_SET_PORT_INFO(r3, 0x40a45323, &(0x7f00000002c0)={{0xf0, 0x401}, 'port0\x00', 0x20, 0x40, 0x7, 0x5, 0x20, 0x3ff, 0x4, 0x0, 0x0, 0x9})
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

15:42:36 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x500, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  383.508220][T18152] binder_alloc: binder_alloc_mmap_handler: 18082 20001000-20004000 already mapped failed -16
[  383.537941][ T7807] binder: send failed reply for transaction 1751 to 18039:18043
15:42:36 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2010000000000000, 0x0)

[  383.564851][ T7807] binder: send failed reply for transaction 1753 to 18082:18152
[  383.584103][T18100] binder_transaction: 9 callbacks suppressed
[  383.584122][T18100] binder: 18082:18100 transaction failed 29189/-3, size 24-8 line 3147
15:42:36 executing program 0:
r0 = syz_open_dev$adsp(&(0x7f0000000040)='/dev/adsp#\x00', 0x3, 0x2280)
ioctl$KVM_SET_FPU(r0, 0x41a0ae8d, &(0x7f00000002c0)={[], 0x503dffed, 0x7, 0x8, 0x0, 0x80000000, 0xf002, 0x104000, [], 0x5})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f0000000540)=ANY=[@ANYBLOB="6d616e676c650000000000000000000000000000000000000000020000000000020000000000000000000000000000000000000000000000000000000000000000000000000000004455b5bda79c4966442282311545de7b9abfb07c0f723a8d8bd91c76d2ca03075feb7a6aedbd079adf79a119de53e85e931f4a187c4d31b6b96a72d31822ce"], 0x48)
r3 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r4 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$TIOCGSID(r0, 0x5429, &(0x7f0000000140)=<r5=>0x0)
ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f0000000480)=<r6=>0x0)
getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000600)={{{@in6=@dev, @in, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r7=>0x0}}, {{@in6=@loopback}, 0x0, @in=@local}}, &(0x7f00000004c0)=0xe8)
getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000500)={<r8=>0x0}, &(0x7f0000000700)=0xc)
r9 = geteuid()
fcntl$getownex(r1, 0x10, &(0x7f0000002e00)={0x0, <r10=>0x0})
lstat(&(0x7f0000002e40)='./file0\x00', &(0x7f0000002e80)={0x0, 0x0, 0x0, 0x0, <r11=>0x0})
getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000002f00)={0x0, 0x0, <r12=>0x0}, &(0x7f0000002f40)=0xc)
r13 = fcntl$getown(r0, 0x9)
fstat(r1, &(0x7f0000002f80)={0x0, 0x0, 0x0, 0x0, <r14=>0x0})
fstat(r2, &(0x7f0000003000)={0x0, 0x0, 0x0, 0x0, 0x0, <r15=>0x0})
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f00000030c0)={<r16=>0x0, r3, 0x0, 0x1, &(0x7f0000003080)='\x00'}, 0x30)
getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000003100)={{{@in6=@ipv4={[], [], @empty}, @in6=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r17=>0x0}}, {{@in6=@empty}, 0x0, @in6}}, &(0x7f0000003200)=0xe8)
fstat(r2, &(0x7f0000003240)={0x0, 0x0, 0x0, 0x0, 0x0, <r18=>0x0})
r19 = getpgrp(0x0)
r20 = geteuid()
getresgid(&(0x7f00000032c0), &(0x7f0000003300), &(0x7f0000003340)=<r21=>0x0)
sendmsg$netlink(r4, &(0x7f0000003440)={&(0x7f0000000080)=@kern={0x10, 0x0, 0x0, 0x10000}, 0xc, &(0x7f0000002dc0)=[{&(0x7f0000000740)={0x1464, 0x20, 0x0, 0x70bd2b, 0x25dfdbfc, "", [@generic="c71383d2abc0b64557378387e78ede40e9c75356a41dd50167cf23a63ee9a4b7da4d1a92978fb3f21c2c4b84ecbbed59f1970a49f46f00fb88a5854ef866f2fcde0531509368f2c5439c0e6d22b889eaf7273889506322a67baf53f07c3b8a802e41c8defe764213822edfba29797290907498e3933d72673305e51d3c68f7b2527b983cfb99e1f3745568b49d9fb356bc0150f2a78076d1d7f4c4e78e989bf9a69bdee356a84fbda8584ed77704a10aa070b4ce4036c276147c030a9ddbd7c61885abec462cd3b220a4521e58cb9661c31b8f6088e5b589cd7b3487980ec98e9e1e91fddd15c0f2197f549eb753e77c334310b338d2acb53e64506753f665ba8e45d1ce67a75b769ee3d7c58f9577c0ffead69edc3fb3f0e6e0e0d22edd8d5b211615773f10dcf385e72438f8306dde34ccf6893652b665d9fd8df1b8e595d34a0f91231532db85320fc55550a4df65df28cfa31f8f049577c104e194656743c7f5756572907ff458d33ed23135a9f4ad3401e86f38609896f74f04b43b61591c392456827e52b76bffade4de2939ceee9c93512be2e87da31e8e7e244d5640bb620a9c5cb99c74037431a8d3b23e5acb7c3d15a9cef0c3376c1538a7b92dee3be60ade1cc04651e7614749b1e84cee1216ef2df4854f7381fadd116f73c90c368953840ee5f827bb8a5079dc4dcb702ae785d6205f47d538f8faee5d67cff7ee6ed09b8c55487e7f416bb052ce60527896e0b14809c13aca86416ae5daadf40e31a08f084f12cb13b43df0bb6427d8843bb5f5130fcd02300d18ed23dda2c036c81bcaf8b2fd7930be6737a76013621a80ada143948f02fe313a5305d49aa77963fb7a64d6d55ccdfa48ec7072a6510b1a4c19834791e6c47c797cbcd5ec8341c8c79878232b7cc5e17c3bc0a29553f1268219c68279da5cf04ea54ad12518d31fed26b91ea72c19b28bb136ad374d67f4ec5a007f5f18245764ade45d326c9b945a3c8cebe273f216273fb2194abe62d4ca9e1c8f277956cc7e83b1a89a9e69ab52eac6d579c3c8e9af7ab022ca860d867cfa0584b6d01b7f72df127847720c08cbdb7f6f1cf02e86d072f3ff716f67a33d11d24fcb5dfb824c098b299479d7238226dd1bbbe2df1da59a357b3c700f9d922875bed8df46473bd5fe84f3c5f71639920bd302e78284abcf400b59d503467b539ca4673cdd8025bb2d0c1ba2a7ec4e15499f0b2de5d5f7c9e87c959a914f01d8ba17c6bb3caecc77c9fdcec76720928b295f3b16cde9b572ad29b4204f3852fdea2e88057a52d235215575e062824a984ba108ace922459f4a2a360541a3c30db6bdb41eed1e941f179ef1ff43dc5a5eeb7f74b8eb622996e28d51e0a19c7cc974ec84786a411bdc7b147266f7872b4c1c6e46927904b15dadeb76893bfdfc7ecdaf521de25768d3c7066386e81823d9b3a2f9ba444c28459150d212ef4a1e75aa6f33545c44bf772c20edad55728159d118a0b3be42ccfdf1d818a78fc75077ab2d8e3dddbc2e140dff8873fa6222a00e6de5936a97c11823caf51dad7cec59f252a93ae07d73093710024844d4e108a8e423e77e493078898e5e9339879d971e0ad9d5b42740dca49671a3cb32df0a27cde2da6f799e87dbf0d653031c16a59bf7626b24e6d6d94f4feaeae86a024aafe8a7b9c3e28a799535b7906010238e2cdba406de24764a73e4d2af683c1e27e48b1a8118360a0492bdeffc1990f6dda67d65383565dfe66bce1093a86835f5ed9f684959e67ddb7e1167638d7aa1f1cf9649a383c7a9fb2ed3034aa92823b69c75db6ccf6d089f81ff53ca7bd472235813ba1d11a9fa0ca3c4bc6da64986aa618ce2256a8483729176df50811f109ee9f892f77f3dc57ea68c768253e2b2174c25f157278c36de37d88596f9765d2725c43d0013dc76d3906a3c022679586bc90f42d7c1b0f06708a97f6aeb82e5b45874421e6aca53bca21e0836b7bcad7bb2d9ecb8f259c17658e10780405e5a54c8ffac2822ab4f9d0ccfb6cd693caf21799edfe4f0d0b617e4a825ed3064bd9eef17258539e99db785b0d85f7daf256c2d37088adcd5ed5fc7097e63ff6914d83eab46572fe5add4016084561dab1c203ce1943321ead78c101fee5fcbfb661f2376a5e39c2c1b9e30f4f1c9e6d812ed93d74333c6c866f42665d844ed6c36da745093c98a638c1f3d72fe97a7d5335ea3cdcba6803b3fdc9af5a55d0a2313fa96e5044d678660ff8604dcd6d7ac6c2d0c2f8b0bfb309a73691c15b27f50607fc69f42d3af8f60fee49a5e6eae1d4f11c91f7f824d3c220823627d2b4c44ef02dbfc639f1b81281c88f556d5dc6ddcb6cdf828006036c74594bac698fd083359a84116ca74216dcf76e05401e363ff68c2ad9317c0e3c3726701ec644a5696a17423d9bf6264daed27e6f069c2126d668312fea3cf6a622646e44411e61a464377060dbcb11cb192f638ac4a95de733ba52185b6d0ce6d89c5d8b388723351b7179e4db919f8c326dcfa0ad7cacd451608cb2f68c526a6b1d4e78552da0a663ec837dd21573c13dad8f81540810c931a668ed2acff95671fdd2d6f18279db3d9db0805000b6021ababaa884ec63f18009aff2f5e34e561de10ed686a50799e3bc456d30fd2a52cc9466d67bedaa206fdf4a20c1141b82ee2fd3865da432140a824843d902c4749c5cde0d02475d2ee518ebe22cd239ff3b9926746d7f4ed0bc5af5fefa73d26b46ed10b3c197aaf1f807f9a993e57abffa5a7fc764e78408b242d00aea7f437b754dda30313dea2c15fb0b7fa9a7052cbe396a750dceca8c7c5dbc530696d222604454e1afccd9495f91d64bf001572930a73fdb9eda8f0333b3b524aa762206b79587ca61dc42155cb55f6833d89cf10a7cf01e83b3b886c342d2d51695262de2c62ac470202ff779376d0c2baf6459cdbe4575c14aa96e4d2c5ade60191ad6a697f61838dc343bdefbb6f3c27eae3ec32cb9a0a54492c5f3c7640e2cb8a508492d201b74e4263663112078999d73999532e1eb2542a107d7b4e886b9775cdd86c55fccf0caf767fe475ef2abdcb6c24e3ba723eda4788cd8536930b8a54849e79bd6f3d1e84601b18f43b6aebd8d8991e8ae7bdbb6adb2fe520c16d48cdb7a9e43f066a246bc8525444ac83fbe4163fdbb65acf5058cea49c5b1356151b986f53d9ec7c2c49c85f94be04c5909f3568bbbf0be6180400ee3e3b342e3421834209eac7ff9c50a759f5e9cf6a0a8a2692d27b45e0f0735ac3c9ee2fb5e6a164bd388dc06bab4ea9efef472cd121d3b4892410a6bd2d1c4843ee9a838d73d7a8d7921390a2f2f31dd28af34a63b6cfff362f4133e9f6c115fad48e09285620ad09c82dd571d4228f436808a6a8a7f23001587a57539159a8a22e69f028e1d5eb14724c435e3360be2ae30920346b2dddecb599c414f6a962505aec7bf0351ded17d08e42c104196089678466f1406fb562ae6725d98e97229cdf6ec84a3d9005a1df8bf1a5985e70d823872cd3ae01fc9aa71ca5e0ad46ab7176d8813daf432ddb0dbb877f4422471f335b7ee17ab40f5202ba1fc4711a548d0ff3aeab03b754a339c7fc2460c724816dd8d47285df2029e905611578dddbcc87f697765e41417a70767f58bf9234b97380e8c925396c4753dfdd9c5753156ecab477953e43fab9ce722ba38bc2b24261525983a3e66ab24b8fcd7e4ae326590ddc3df1c6d63a788eabe750ae1816e050cb1246b2263055d9ca1610ad5d8ec471955a0ffb0ad05c6404c1595591d03c18fe2baa1f2671c6f8c9a85808ca4591f090ef22c61897466c171d52d83967520cc929a3da180a20e26a99970a31799d00a867317b90f34735af1f741bf1fd53aee6f86122772a58d0fe3e46d0a9dceb26acf3c4497cd969efa3ebb19024c58fe665033f091c6811967ff961c6cdefcc56c7660835ff53891071f73d49d2356d824a5e9984dc50722e2084b88e3bf70aa12f461d403d890469f0708581402f30113479935a75811d31ca45cfb08e37d11587d7fee5bea8c020405b0ae51fb2aa2ccf7a083574abb678d95943a78cb0f17d96818da42628739d138f69cff23c1c42dc47487cec690cf4d38cd8c309dbdfcf8081f9e816e369e29935c15f564c7e0b9d667be3af94f56d0bc2ee769ed5bfd69b8b9f81c8fe03da896c9a4b269ccf843af4a6f2c54ec7889f011313ed343ce115f27fc38822d34eb8dc6db99a74e1a6a6500f23ac924cc18c03b1cdc4932bbc9e0fd9360d8b9ca4145d72a78ed4c0f547e05ff126698e02b4b8e25bf2751f7c6256385df733389fd941fe7b27575751bcb8a778eb6101f0354b86d46b6e14db4a959c2a8a7d30fe20c61d16ff141b91ce03f51e3cd731210ed01ecc2cb1a509927229d688518ed8b8498af2f7ad6b2c946852b3f510ab7a4004cc243aadc19eda7a7ebf8918e57d74feba0bcc0d1dc95108066dc54f1279fe290747abbfc412da53a589bd66d982742c4c6bf8c34e60b749a732555e3748c0368c1575c417328233a5bfdd69636798ae4db129e137112f1f2e86eb7a4993a707b67e7280a9acc22bbb7d2c3edd7370f0af2b29ce8507f45ca4a5f4defc9d64c989cb475ee57600b54c1af408f75082e659439e00ac2ae8492f00a8d484664d6c663cec20c451e569a777896dd6a61f06901cc24582e9a6053151681716a338704b2ff4c557ffb8ee34386c3396b10faa6778d1bf1cfbd4abb81354e24e2e3c6696c6f3eb3bc785924c71f8a6c6d50dbf604391bc980b0cd27b453f99e70ed2191057e1c40332939d9e51067e201c727d4e9e5aa7300cfc73ff5a10fb4605012c8df502d6ae4d106f4943f6c9b802e984aa4877dcd0f88b6dad1a0adb97a4c844dddaa2c9d8d538b62f65db157f77a3cb1bacc71ff1e6ad8b68196b93e13cc1dc56d9611a5ecd92bdc355af5f175d2311d6a9bb8ec386f30ba7a7e73933b10048b3b907099e0689ed44bb895dc195d22628e017c56983dd7c98fcaee9750213715df8185dd647b687cbf7feacae0dd2e8b78cd8bca5fe468c5b6dc650f575a733197e51fe2698db25c9ba743b65ce7fa629e6a4d56bfd50c812e0cab8f423b5c1782b0cfd7cbb0bade2c69ff087628cae0e259ab3e182a7e48472db87a87a8def1b53b8b139fa62452f72797839c04fd09438ae3915c0ea3b1589b3086e5668f851b90c6e837aa2999d89d841f966cc1f438d0a1d687c50058d861a27ebc7d30750d7f91de5636bb444356b99b350ee5236d4880ef66d3e8a692476878fbf7c70f0565a89becb612b4bf1315010563b7be722e67fe4b0d6992a88a5c1d816862a5882697fa09dd99995650ec1bca7dd4db4ab7c556a554f30209919c0a682cb5f3b9da52ef8ecb6833b766511510eb0612286d94f6f0666e50eb7714840561589662a0d82696829010a88aba3c46666575f434dd7061af480cabe9870d9ca98097171448a4c6cb39ce206e9c209770a0f04162cb82764053aae8a9a2356d4cef2eafb455e04c7ec4f5c0ddfb12dc8801e0cdd983b9adfff9397988a8f1b72309b0089fd0639ceae1f7381bc4ab97e01cf702379296a57265aacf16c267035cd62e5377845e4ed0f9c76862ce1fdf886344ae1949128f235e6f983cf53a78569ffaa18998b418a0adcdc70a297a3013cca0f4afd8a96ba3f60855ced78561283c970eaf895ccf41f1fdc21525ec4c29a3072d05e39782c0b87b4a040a66585ebba275775552ba20c7f96fcae98374a4de70c03", @nested={0x218, 0x68, [@generic="12ea073b84a1371d02c32a3abd1689a56367ec3221b8d0095d73d1a8f2c2df54c5af1910664debdd8f08393b531b5906abf1c0e98937ae0e2ae84c9991ef5ec41ce967071c7402ffddecd031ac37", @typed={0x8, 0x5d, @pid=r5}, @typed={0x4, 0xd}, @typed={0xc, 0x51, @u64=0x8}, @generic="7c21f6e5750508214be2f389fce4db877fea59c88cd2930e520dd55b8ae7a1870392cd8c8a38655973fb0813f655fe375951ae4c2cc52065907811ed0cfa8e841cb980043854ddea5e9de6df2232c6567b0860121cf9ada6f7493d2597c9eb076ced449de3e14fbc2039f4f654d8218faf656bc26a2d75a30c833d57b3ba3e3d668d7b6276d2c311cff61b9d8a8dd229220385e7f39beeb3e07fefa02b8dc06e9ba0596ee2f70837b7b37f86321263c48dbcb7412dc028d25414c1dbd20b2d5e8fb7309ac5ad23c2fea2416d757e0bede06ce30966c2fa87a3f5779f46b122b18b452152864b5ed168c6233c8d2c5bdeea35e2dac8f6d086e57cac", @generic="8bcbc52fabd5b72679c6e8004329787e44902734485aeaafb393bc6f38c858eeced7cdddee21b5dc2ea0ee033b9ddca9f37f203e2dad8b1ed0fde302177b4491568735608a7dfa4b39a122da3190efdc6ab2fd4623d82b9300cf56840e1cad8417fecfc0ed4e21b87033d2d84635accc14cc9bfe1537d2c9dad38c73e07960538339293ba6f6cd4609e646a3273f937eca883bf02336a2d6581ffe474c2e2053febd21b7", @typed={0xc, 0x1d, @u64=0x101}]}, @nested={0x68, 0x48, [@typed={0xc, 0x88, @u64=0x1f}, @typed={0x10, 0x90, @str='/dev/adsp#\x00'}, @typed={0x14, 0x19, @ipv6=@initdev={0xfe, 0x88, [], 0x0, 0x0}}, @generic="e444695c4e7fc558f45093471ae8eba63cc22bd61272e2013124a23f8358abb78e1402743dd5bd03bf0ab647c45f12df8561"]}, @nested={0xac, 0x86, [@generic="6184de6d928fb83a3974fd9850ffc42a0f9a7746515ce012a4b2546bdcd1d361b2949d13fae69e641413bb4a77dbd348a0d069d7e7d3f32b98dd34b44cb14a0e0a00880c96e829897a20b4c7c240a733d11d4e53175f698aa06f38234ecf9587d7cf5e8bdd8bd788d2bbedac9a5e589133392202e741bcf55b8a7fc1b6bce5266f60e7aa79c682c9ec72b4b86f594364db7b25646c7d1172fc66c826cce16c54", @typed={0x8, 0x17, @fd=r3}]}, @typed={0xc, 0x50, @u64=0x8000}, @typed={0x8, 0x1f, @pid=r6}, @generic="67c8a180e4c2ca3176ce8fac0413ce4dfa4f6bc97ee31840320bd38638641b5564d8151dcc320f0283e0c6beadf7b43add1ecd66cde8349be84242845541a5e613a78ff9d8b00ac185d3cf00162200b83cf55531863fbadb9a82db51597d8e58561f69d82a91731b3a8d8133771efcc11e14f9ff1c1b4e154791c870bbea1266f9cf60da74d74a3e564f54b6c67b45107a11ce74568d1716bf3f350650e610cb6926e6c03d1554821df48fcf7490e8810fa4d4002d649420ef8a4f183bcb02d3f477e5793ab3", @typed={0x8, 0x5e, @uid=r7}, @typed={0x8, 0x18, @pid=r8}, @nested={0x3c, 0x49, [@typed={0x14, 0x28, @ipv6=@dev={0xfe, 0x80, [], 0x26}}, @generic="091d17403b340a", @typed={0x14, 0x7c, @ipv6=@ipv4={[], [], @loopback}}, @typed={0x8, 0x3f, @fd=r3}]}]}, 0x1464}, {&(0x7f0000001bc0)={0x1200, 0x33, 0x0, 0x70bd2d, 0x25dfdbfd, "", [@nested={0x118, 0x37, [@generic="0899b19cdccca67e91dcd6390fe4346b4d6767311ffa98387b3c7e0fa0a475fe2a514296d028f192765b4c97456761ef92af11bf3cefa0537af18bdf87c0622a546931c96b2a1c06d9b298a4697c20cd5ea129683d686c6aa2bd31b8eae78ca7f459fd7255a3d6016249d5025c010ecea2c32ef29e6ca528327b71965ffba75269", @typed={0xc, 0x4c, @u64=0x6}, @generic="7ead99575f452b08ef980338fa807931ef633d57abdab7b2da887c76ea7a59ae4a5c4f00bc4869258d8057bb2d87d5d67fc9faaf0cc2ef57735e8bf4d5b81e2a4b51b9c52a3debd914b78337ac07f9c7c8ccdbb2f8dde76a7b", @generic="375c72426f80d450be71c3326f7eb68376ba78d1bc2058a79ea8252876157f043cca42376520d9e4a7b052df"]}, @nested={0x100c, 0x16, [@typed={0x8, 0x0, @str='[\x00'}, @generic="d913ad47d41c42603fd56039a09c7096920befb7757ba9c7d5ddf2e8690e44cb4c477c7584670aefc4d2554b5fd2bc64f6bf9ce4899f7e50cde3e7a9c3426e45041d1492eb75afcfd2bcdb82a5ed028541f3236ba3778ceba72d70fddf810cf3f7b3efe051589302dcfa0d7a6fd330b74cee14a098d71913ddcf81a69684842ce2faf2f27ddc5c70edd0f393621b47f4e3a3d4b1c50691ff4b2087406ac70ec0f1a8752f1a59124c54a35f43f1e7c45357d4d4f2a9128f01c99c3b68a995f7f4b3eed2487791eaea0b1f2405a5fd87644a8abadfaeaf86d9eccf29cfcf0563f4ca15af2f458e56ba384670ef9ea387c66cd805c56254f142b51b574598a77e50b8bc79bce57b3d2df3dbc98a9bb5601a11d4f45e37f0ca5c582bceb660d06d8910b66f37e97f6808408d5efa821aab2098f3c50d515aa11ad3f83ea2b2c603db5f8ef8172008af1ff443e211fa06d93f6df5b08bee380df43634ac6d32b6ac3e74e1479e5d2f5713ac0957c566114b771e13bac992eafdfc7efdc76c1b993b6e20b859b75ec99003fb6977750093f7d9d0b8fb553b53dfb871fb9e9657900de56189cb062d369cf0fbf373f1359f7f8caa8013bef7b30f269991fdddf18a3e239882dcc48aad4a898242ce2bcbe7eca3cf6aa0acd0f407d46464ce6e61f5fe44adb3af4760056bb461c1a6a898c9b470b6b96d238dd0832b735770bb405869b10358b1197ce68b9e49afe31f12735a772e9f26f4a300a7748a661e390a6f061e8bd40663dcee744017d1fc8bd6b9780c3235dee54d6884a4d383c4c31b5bff53d1ead2a9b98395b33fd6f8dcfe1cb115c117d528489765dc8dff87c970e731b2521a3d85a730984cc9966e4c0aa24c3f4a6498bc1906f72cf09ef2c0d4abdd97be9a893f319dd9c1cfd348263ed8fe322dbc9ce357dc1a5ee7e2123ab86ed8fbf6e44be7caeb22b1754d7e44835a154fd984f56f7eb921431d6bf15272419277409a6165168ab6eb20a70c6db022428b12ad23759ca3c0285803e965b05014ce9dc25d1e892d65f4a558f8308aa8e9e1e78164744df105b7d4e8011070a68aa6182ce9877ca01dd8ced29b62a205abc085d84a5a2c0be7553b85178db40a680d6500e89e858debb394ae6bc33792d350a845b4b51363c8610f40a0cb9039ad4221e2652473a323bdea43726367a2216c2bd6b035fdabc54bcf961b91847d6d69d13bd4baa385c559b8568a227fd102428646797475718df178984ccf1c772c5cf5b99b823c810e38ba4f9974db7fcb758b84a7da99d3b7adba0d76fbed42b45dc125d4bdeb06fc0ea2c9f40d4191ae46f1a76f3920d7e058e521bab0fa2f998a302022529fd6cdce4d74315864bdb9b18bfa64f44f148734e9e7132706ec9062446c65813f2da7bc91cf79e9f8a729e4879917997168e6d7f043ee50c1978e4b6bb38891abeae100aa47da37aff03334272ceae03a8cc6b76accaf8cece1294443629cd40777956a9709b0e374a1ad377805adb9938d625018621dcdb835d68003588d14ba7f172922b5e8389545aa64fc8e05f3f5f7ce96145bffb3bbd05324c4dcf02c1b89490ffab2b62e05dff49b09f82f77bb4bfa50bfd690949185f08d178daa5663eab1a4c27523238894835e92d49fe8eac125e2bb7e13b4cfdad39d605e2e615e2f87f783b3ea75179e577575964d1c5551e3890e299265f5724400612e2c176ab824a9ef536ec453476ee3eec9dc3c599702be6c403505034155774b1439969129d65608310e52ff051ebd1ee04fbd5e598c8e9fa40a3158d1a320c9d281e284941a5b246e8772aad7e667d06122064bcc2dfe6c9c9a4d79426773cf8892016af078e65e76395fae2e6d3bf266d83978c89fee6d806e603389704afad52436e6f88107a91092a776a217be0168cddb06bf37ec1224c558df20ebc290e515829412cf9d68afbda1b86790d9fd0e371c3803de8494123f6a386dec599cf197b504a7ff8efe2b99c72665d598d3cb42beb92b4bc1e46241b45d36d7a441f8f8138b0e7e10252de27a56f146fe7410932b0d237a568e9f446ff2850829b14950f1a11baa9be0984b1236f7b4ca47daa3a289f7a99d423c228a3b7fa4649d894b19bd68cfbc0d05b41085cfb6e1fcf3efd36949d790647e2cfb95b462dfe3f39e3bc45a682e5793b24bc3061895c8390ca1ba64ed007dde1f82a243611787f3b4c2dd189b7b729df4fe0b32f4f36e337ce215f12561ce729e404b3e91b1a857e817661f8531bde76a67085d6df7e4116e969fcccf714b9861533f05ed827189f978c5e7c0e234ec5b7548135512ef7ac6500e5bca3969183caa83e1abd33b9ae33f93ce6d758e45f6b40ce5a5645f49ab2a4267f717f11cf952fcfde6d9f160e0fd3ed1546e76cd9bd7f9079ad43347eced0a5aa4926b24e09d4ba9160bdb643dafb45633750844cd494ee7201121e0c10c3d9b6b6972702cdd972684cb57f230068d3b9b6c13655fab1fbfde37383c7236dae34a8a3b21ba84eb586c173f2a554d02f0415a434ef3449aec2ad776310ff38ca7e47657eaf8a7bd070779c4f4507659de0edc53eba373c911274fe1642f0d59dfd608bba8a2f74061aa4007a8ca0e0beb482d92dcc59d456afcb092f7154671f2ae24d5c818c239ac7e37ca65f3f32ab928f4e0d30a0b2a266cbee494904545f3e52c7ecf3ad4b8b086249b817b3140864128afa377ead9f01c9e3a13d35c0733bcdbf6fda62a3d7c30a03a847f9122c46ea02883c36ff413bbe841be3ce6bc75bd66923c267af7e4ca2ab948c98000d9f80d4129c69904db82131a128175b392dbc88748af06b73b41bd03b896c6b33d2a6a950c3853436dbf57979ab1ea32d8fc80cf5419bce1f764202f3150fe4458f46fb81d9c10763156e027d35662707c47cffa88bde6c9a315db21c622b10e3643c40fa3fc2f9f72d24e546796d96e037c50197676dff36e75c5d92c7ded75289ce40d70b827c6f742a733f77b3358e27bacacbed85a51a84adfa33033d9a0d92106b88814dcc951414670d606ad5818b9a6d30055ac4f8c3df4b198566e5de06f58c972ce4607aca3f5581863912366e8109b4de3c3296aa2c4f6222b3a7c8d6479c26064af87ab7315b1a81a1e5ef236ba3889d70274e2962c723b3602ce7d58f253eeb26f8d4cf7b9a58098d8dbca1261257dd34a7ab0afbeadfe51154421086a0d7dfcbbec5d9fa006afe2d92daa541b868e5e35512946b0b87897efbb8646734d6a2b13c37bcb97671c1f5a58e9eb609499bbe7b98c3d324564830ab9a4f14f14c8d10ccdeab537bce3d2604c7aa0b6353b819455243d2a40856e24140a708fb67822969ed2a5ae024b6358d1bfb3d805c7f5a37f330e82d189447e24993dbffaa00373467b80c010b224bf81855078f1b130d1e3d0cb053ac04d608c66f50d9276741fbd77db1e59e0a5b04d33e82b006b6a0ea7b1ecab9d22266f7c6b937aec60eb292e251a34bc0b689d2d2ab13a42db239e5b05e23e7aa59c45d786e6178d43950229e1a07ac102807bf6b3a9d6c18ec36a1f1470923b21b1d95f1df3c2059d68ac3a974eead2815a594800fcfe68b4a73a371cfdda248540059d9c4b7d9f4afd53490c11876ef55f546579edd9af74e523f88da685e0309c203450f62c895a32c0c33c9f5745c6da369d956c7998c4cf89470ea7b8f052a9859d77e435c26d8fc401147cd5c4f270a1fc118a3fe3d035038e02f2d5e05249a7b1c52f6cf6a2d86bd5d613355527ebb5fb6b693847b886cc165c57a187336433f6c5495f1cede0cf44b61e206dd19abb6408b60e830855678d333cb54bd7ce1bd8ea18f69bb9933006ea5920a219567f52f8174039c5ba3dd17805bd65efe509774e3169c256b7ecef9c4c52158153f45d912cb917e2f0e58f66d651131871dd5c660c724990d4ca17c30ac8aa9eb2d43f472e8e0fe9619217dd5c440cfdbcd6e7ad7abf5fcc632fe5ab31af823fa49ef8d3568407764d7236df3983c2a5f72dd1bd6b41c762e3736fef474c05780878ea47b21baa5da5ac7173fa4d5597dc1e57a50079f79580bbe7e7afad67d32bd630f2926bc321a3e0ee47c5354d5be12b274384d8aa0fe3f97f599a59f1ffada2909c25c406b28a92f71209599ad932a559edbb7e0119c553b6cb9413855a94b1ad977b7f9b9e8235f481e05fa6dcf5aec5d4976d87a59ff43932e13f01ae2f9fdb8cc31ebe915c1363146c2aa9e7987b1890b712e03c3801b95239157089af668ec7c7221af2289bbdbaa1871363e1e05a529ebe308c02ad5c6b852f32b9c8bf1144910ddeb39f7b7c046fa7ebd10e2e40d3c21aeffb128fb731111850759be90198e7bc9a836bbe35c8eaac551e847c25deeae3c89d797654d75afa864220eee17a932dcf8acc0387df82826db7526896de09b7b91309e044c05ecccfaff1251f54a4682e9fcfb7d8e5c1d333a8d8c9727c7031b5c175ecedffce332aacb046a4141d334c8f32db8725df7a8a8e1fe1f286c9ae1f39724dce97694e20750fcf3ac5675342d0a30c625d8484652edf312892cd3ded2a63834a7057a451167df2c050147b3dbca92df72b07c1924a55e0640bf9bac096fd32ea774ac252959c93e782c8ffcb66084e5e10f4c049d4bda62bd827e410fbc16c51dbdb0e59ad1e45e8116122c785f38fe19920d00600d4a1a9293a2dc672e4a565d52412c0415060275813fbe0aa38e408bdee7608357f12373302a91252705a5b811aff2da912e10d529802c6b88208dc2b296d12f7207c54ededddbda354e4c791a82d21208b91afc46d19a01aa521bda0046bca8b86d8d29913033591cfb5630a954413d747d09cc80077a80334abcc268391d822d981031056e4953002a1cbce71e5f393060a29a5a2730bc4e6e4c1c9e5bfe5fc9467743a3f5ee8c28b8bf4110aec5891051024bafe915f900b51ca0fa5a4003341a4364429be8a20b628879185f8c13fece67c89cfff6c4a28f544f3d0e59b843af581a200c91991babf1af323791add856b3da657c2829231b5ee313b81ea4f5ce41a807ee8c8677a2dc2c2d9217e369fb02d6d47f9be238548b9d200cef958bc69f0de6af43818abf23642d35f00b79c0ed9ff551d9b3aed2d15fc092e620f896d34ab11c98ec866df73625a5b27dbb631c1e5fbcc905c1fd1e8373994fe2f4ecc6571df5c15b3a95d52cfb855e065758871b955ae87a050047d4db6ea6397536caf87acc8152179898326210ad4f910bafc973d256e62348a814d50df9c45fb9de9325c5b8715a42aa41f96b46ed621b3bb18a26dfeb87a6370b5e53e94315a778c95ebb352d47cf9519943cf51b079e6b95378754dbdfc3d4e660c1087e121df6d4538ee38de98f78cae41f05aaa5475bbe8f6429abc9d1c1c9e7789a7fa0fadfd0ae444ede5157b2645d68d9767421c352efbbba571957159c9846b6cd41604bb2627088fbc556fc00394526396eca3ebb9de365b41670a022a021c34bd5ec7e600e365185da63e08f00b62db8154727f95ced84f825747789432615cfb7c605bfb13c13e750285a60d49fad54f907624786dbf064d98b21a4146c18a6077adbb73626700f7faab86984de493767861bf488a7280972a56b4ac943401f47665a8ea75fbc8c347fb1c2a7b72ff28d6aa62564cfd752c3661caa98a6040f5aef34ccf1cd7ffcd6ddd6d05f9f815dc02f7408c0d93b787804820d42a1cf22a327df60f380ea6505fc70bc04bffa38dec4a840fb944b31ec359c0716d26"]}, @typed={0x8, 0x3a, @ipv4=@initdev={0xac, 0x1e, 0x0, 0x0}}, @generic="3368fb9b44d4f837e08b", @nested={0xb0, 0x26, [@generic="1c03dec246aa59bb938e8b259352b8b19a6290e830d79e8b6d46eb83f7c7150081fd26a31df9b9299b6e3ec365f7491394704472f6b138666ff2fd7d9640c9af190a52b5b197fbaca9cea3f5d1e5c3bdbb57a7db435392b880548f6da5d8b240cef4eda04679266f51ac1191fda2ee2410a88fc7aff31ce3ac0cd011193ae7769eb80f07bb0fb826374ba3b60558e7952f3255be79a24ef43c1c", @typed={0x10, 0x27, @str='bdevppp0[^\x00'}]}, @typed={0x8, 0x7a, @uid=r9}]}, 0x1200}], 0x2, &(0x7f0000003380)=[@cred={0x18, 0x1, 0x2, r10, r11, r12}, @cred={0x18, 0x1, 0x2, r13, r14, r15}, @cred={0x18, 0x1, 0x2, r16, r17, r18}, @cred={0x18, 0x1, 0x2, r19, r20, r21}, @rights={0x30, 0x1, 0x1, [r2, r2, r2, r3, r1, r1, r1, r1, r3]}, @rights={0x20, 0x1, 0x1, [r1, r3, r2, r2, r0]}], 0xb0, 0x8041}, 0x4000000)
r22 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
ioctl$KVM_S390_VCPU_FAULT(r22, 0x4004ae52, &(0x7f0000000000)=0x3)
r23 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r23, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r23, 0xae80, 0x0)

[  383.626395][ T7807] binder: undelivered transaction 1756, process died.
[  383.656619][T18222] binder: BINDER_SET_CONTEXT_MGR already set
15:42:36 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0xfffffdfd, 0x0})

[  383.700969][T18222] binder: 18217:18222 ioctl 40046207 0 returned -16
15:42:36 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, <r4=>0x0})
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})
ioprio_set$uid(0x3, r4, 0xffffffff)

[  383.830706][T18312] binder: BINDER_SET_CONTEXT_MGR already set
[  383.837255][T18316] binder: 18307:18316 transaction failed 29189/-3, size 24-8 line 3147
[  383.850114][T18312] binder: 18307:18312 ioctl 40046207 0 returned -16
[  383.882140][ T7807] binder: release 18307:18312 transaction 1760 out, still active
[  383.902583][T18357] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  383.916542][ T7807] binder: unexpected work type, 4, not freed
15:42:36 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2237649049000000, 0x0)

15:42:36 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x100000000000000, 0x0})

15:42:36 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x600, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  383.941515][ T7807] binder_release_work: 15 callbacks suppressed
[  383.941522][ T7807] binder: undelivered TRANSACTION_ERROR: 29189
[  384.019026][ T7807] binder: send failed reply for transaction 1760, target dead
15:42:37 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x200000000000, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0xfffffffffffffffc, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_IRQFD(r2, 0x4020ae76, &(0x7f0000000000)={r2, 0x9, 0x7, r2})
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  384.070252][ T7807] binder: undelivered transaction 1763, process died.
[  384.087547][T18443] binder: BINDER_SET_CONTEXT_MGR already set
[  384.112896][T18443] binder: 18430:18443 ioctl 40046207 0 returned -16
[  384.113000][T18432] binder: BINDER_SET_CONTEXT_MGR already set
[  384.176209][    T5] binder: send failed reply for transaction 1766 to 18418:18432
[  384.187300][T18448] binder: 18418:18448 transaction failed 29189/-3, size 24-8 line 3147
[  384.192430][T18432] binder: 18418:18432 ioctl 40046207 0 returned -16
[  384.225602][    T5] binder: undelivered transaction 1769, process died.
[  384.264730][    T5] binder: undelivered TRANSACTION_ERROR: 29189
15:42:37 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x200000000000000, 0x0})

15:42:37 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x2401000000000000, 0x0)

[  384.310133][    T5] binder: undelivered TRANSACTION_ERROR: 29189
15:42:37 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, <r4=>0x0})
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})
ioprio_set$uid(0x3, r4, 0xffffffff)

[  384.378761][T18595] binder: BINDER_SET_CONTEXT_MGR already set
15:42:37 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x700, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  384.432220][ T2597] binder: release 18593:18595 transaction 1772 out, still active
[  384.450959][T18595] binder: 18593:18595 ioctl 40046207 0 returned -16
15:42:37 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x200, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  384.481169][ T2597] binder: unexpected work type, 4, not freed
[  384.515153][ T2597] binder_release_work: 17 callbacks suppressed
[  384.515158][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:42:37 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x1800000000000000, 0x0})

[  384.546339][ T2597] binder: undelivered TRANSACTION_COMPLETE
[  384.552757][T18608] binder: BINDER_SET_CONTEXT_MGR already set
[  384.583678][T18608] binder: 18607:18608 ioctl 40046207 0 returned -16
15:42:37 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0))
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})

[  384.591873][T18608] binder: 18607:18608 transaction failed 29189/-3, size 0-0 line 3147
[  384.600323][ T2597] binder: send failed reply for transaction 1772, target dead
[  384.619150][T18618] binder: 18610:18618 transaction failed 29189/-3, size 24-8 line 3147
[  384.668400][T18613] binder: BINDER_SET_CONTEXT_MGR already set
[  384.699543][ T2597] binder: release 18610:18613 transaction 1778 out, still active
15:42:37 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x3f00000000000000, 0x0)

[  384.712393][T18613] binder: 18610:18613 ioctl 40046207 0 returned -16
[  384.734727][T18675] validate_nla: 1 callbacks suppressed
[  384.734742][T18675] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  384.754623][ T2597] binder: unexpected work type, 4, not freed
15:42:37 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xa00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  384.781761][ T2597] binder: undelivered TRANSACTION_COMPLETE
[  384.812913][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:42:37 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$UI_DEV_SETUP(r1, 0x405c5503, &(0x7f0000000380)={{0xfffffffffffffffe, 0x5723, 0x105, 0x4}, 'syz1\x00', 0x6})
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
msgget(0x3, 0x280)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
r4 = msgget(0x2, 0xb1)
msgrcv(r4, &(0x7f0000000400)=ANY=[@ANYBLOB="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000038d96281a455fa1de8fbe41aa00e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020af82854034134a70ea0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000763ec73a46d0636c4bd3375036cd89799c6b337f72268b2140188e72c0dbaf65df"], 0xbf, 0x1, 0x3800)
ioctl$KVM_RUN(r3, 0xae80, 0x0)
syz_kvm_setup_cpu$x86(r2, r3, &(0x7f000000f000/0x18000)=nil, &(0x7f0000000080)=[@text16={0x10, &(0x7f0000000000)="3e0f01cab8d9000f00d0b893000f00d80fc71c660f383d55b69a0008a80066b80500000066b9af95610f0f01c10f20c4660fdc4b890f019e0b00", 0x3a}], 0x1, 0x10, &(0x7f0000000140), 0x0)

15:42:37 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0xfdfdffff00000000, 0x0})

[  384.847914][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
[  384.909131][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
[  384.944390][ T2597] binder: send failed reply for transaction 1778, target dead
[  384.953946][T18769] binder: 18753:18769 got transaction to invalid handle
[  384.960928][T18769] binder: 18753:18769 transaction failed 29201/-22, size 0-0 line 2994
[  385.000075][T18822] binder: BINDER_SET_CONTEXT_MGR already set
15:42:37 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0))
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})

15:42:38 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x40000000000000)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  385.043406][T18822] binder: 18788:18822 ioctl 40046207 0 returned -16
[  385.104795][T18923] binder_alloc_mmap_handler: 4 callbacks suppressed
[  385.104813][T18923] binder_alloc: binder_alloc_mmap_handler: 18788 20001000-20004000 already mapped failed -16
[  385.128975][T18822] binder: BINDER_SET_CONTEXT_MGR already set
[  385.139557][T18822] binder: 18788:18822 ioctl 40046207 0 returned -16
[  385.148229][ T2597] binder: release 18788:18822 transaction 1786 out, still active
15:42:38 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x4000000000000000, 0x0)

[  385.184019][ T2597] binder: unexpected work type, 4, not freed
15:42:38 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x2000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  385.231452][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:42:38 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
mprotect(&(0x7f0000003000/0x9000)=nil, 0x9000, 0x2000000)
r2 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer2\x00', 0x40000, 0x0)
ioctl$TCXONC(r2, 0x540a, 0x1)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  385.273249][ T2597] binder: undelivered TRANSACTION_COMPLETE
[  385.310188][T18988] binder: BINDER_SET_CONTEXT_MGR already set
15:42:38 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000)='/dev/btrfs-control\x00', 0x20040, 0x0)
ioctl$KVM_X86_SETUP_MCE(r1, 0x4008ae9c, &(0x7f0000000080)={0x11, 0x2, 0xfd})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  385.366936][ T2597] binder: send failed reply for transaction 1784 to 18753:18769
[  385.377703][T18988] binder: 18981:18988 ioctl 40046207 0 returned -16
[  385.388585][ T2597] binder: send failed reply for transaction 1786, target dead
[  385.416870][T19070] binder_alloc: binder_alloc_mmap_handler: 19000 20001000-20004000 already mapped failed -16
[  385.422042][ T2597] binder: send failed reply for transaction 1790 to 18788:18923
[  385.430951][T19034] binder: BINDER_SET_CONTEXT_MGR already set
15:42:38 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lsetxattr$trusted_overlay_nlink(&(0x7f0000000140)='\x00', &(0x7f00000002c0)='trusted.overlay.nlink\x00', &(0x7f0000000300)={'L-'}, 0x28, 0x1)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)
lsetxattr$trusted_overlay_nlink(&(0x7f0000000000)='./file0\x00', &(0x7f0000000040)='trusted.overlay.nlink\x00', &(0x7f0000000080)={'L+', 0x7}, 0x28, 0x0)

[  385.464666][T19034] binder: 19000:19034 ioctl 40046207 0 returned -16
[  385.469346][ T2597] binder: undelivered TRANSACTION_COMPLETE
[  385.488182][ T2597] binder: undelivered TRANSACTION_ERROR: 29201
[  385.494651][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
[  385.501256][ T2597] binder: undelivered TRANSACTION_COMPLETE
[  385.507583][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
15:42:38 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0))
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000000080)={0x3, 0x3, 0x105000, 0x1000, &(0x7f0000010000/0x1000)=nil})

[  385.507985][T19070] binder: 19000:19070 transaction failed 29189/-3, size 24-8 line 3147
[  385.514597][T19092] binder: 19000:19092 transaction failed 29189/-3, size 24-0 line 3147
[  385.563233][ T2597] binder: release 19000:19034 transaction 1794 out, still active
[  385.580024][ T2597] binder: unexpected work type, 4, not freed
15:42:38 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x529e498e49000000, 0x0)

[  385.613276][ T2597] binder: undelivered TRANSACTION_COMPLETE
[  385.646492][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:42:38 executing program 3:
r0 = openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000140)='/dev/sequencer2\x00', 0x400000, 0x0)
bind$unix(r0, &(0x7f0000000180)=@abs={0x1, 0x0, 0x4e24}, 0x6e)
r1 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r2, 0x0)
getsockopt$inet_sctp6_SCTP_I_WANT_MAPPED_V4_ADDR(r0, 0x84, 0xc, &(0x7f0000000100), &(0x7f00000003c0)=0x4)
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
r3 = openat$zero(0xffffffffffffff9c, &(0x7f0000000000)='/dev/zero\x00', 0x480400, 0x0)
ioctl$VT_RESIZEX(r3, 0x560a, &(0x7f0000000080)={0x484, 0x3, 0xd0, 0x800, 0x8, 0x80000000})
ioctl$VHOST_GET_VRING_BASE(r3, 0xc008af12, &(0x7f0000000040))
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000080020000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})
ioctl$TUNSETVNETBE(r3, 0x400454de, &(0x7f00000000c0)=0x1)
r4 = openat$zero(0xffffffffffffff9c, &(0x7f0000000380)='/dev/zero\x00', 0x80e00, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_ID_LIST(r4, 0x84, 0x1d, &(0x7f0000000400)={0x7, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000280)=0x18c)

[  385.680286][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
[  385.701553][T19145] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  385.705184][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
15:42:38 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  385.745778][ T2597] binder: send failed reply for transaction 1794, target dead
[  385.768397][T19181] binder_alloc: binder_alloc_mmap_handler: 19177 20001000-20004000 already mapped failed -16
15:42:38 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x2, 0x0, 0x7f, 0x0, 0x0, 0x3, 0x0, 0x4000000, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x4, 0xffffffffffffffff, 0x0)
readlinkat(r2, &(0x7f0000000000)='./file0\x00', &(0x7f00000002c0)=""/238, 0xee)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_PPC_ALLOCATE_HTAB(r3, 0xc004aea7, &(0x7f0000000080)=0x1ff)
ioctl$KVM_RUN(r4, 0xae80, 0x0)
setsockopt$TIPC_MCAST_REPLICAST(r3, 0x10f, 0x86)

[  385.831734][T19185] binder: BINDER_SET_CONTEXT_MGR already set
15:42:38 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
lstat(&(0x7f0000000000)='./file1\x00', &(0x7f00000002c0))

[  385.887126][T19184] binder: BINDER_SET_CONTEXT_MGR already set
[  385.894532][T19185] binder: 19177:19185 ioctl 40046207 0 returned -16
[  385.904627][T19184] binder: 19183:19184 ioctl 40046207 0 returned -16
15:42:38 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7803000000000000, 0x0)

[  385.952805][T19181] binder_alloc_new_buf_locked: 7 callbacks suppressed
[  385.952814][T19181] binder_alloc: 19177: binder_alloc_buf, no vma
[  385.974115][T19205] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
15:42:38 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x101, 0x4000)
ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_INFO(r1, 0x40bc5311, &(0x7f00000002c0)={0x7fffffff, 0x3, 'client1\x00', 0xffffffff80000007, "a982ed5105c41e92", "b5f98a74967fa2f13de7a6d5687b41418ef3f689fe3d3fd6950ea81cd1de65ad", 0x5, 0x8})
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  386.017863][T19178] binder_alloc: 19177: binder_alloc_buf, no vma
[  386.020417][   T12] binder: send failed reply for transaction 1801 to 19177:19178
15:42:39 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)

[  386.068854][   T12] binder_cleanup_transaction: 4 callbacks suppressed
[  386.068864][   T12] binder: undelivered transaction 1804, process died.
[  386.072511][T19181] binder: 19177:19181 transaction failed 29189/-3, size 24-8 line 3147
[  386.102582][T19178] binder: 19177:19178 transaction failed 29189/-3, size 24-0 line 3147
15:42:39 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4c00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:39 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0x0, 0x0)
r1 = syz_open_dev$binder(0x0, 0x0, 0x2)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20010, r1, 0x0)
r2 = msgget(0x3, 0x8)
msgctl$IPC_STAT(r2, 0x2, &(0x7f0000000000)=""/171)
ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0)
r3 = syz_open_dev$sndpcmc(&(0x7f0000000280)='/dev/snd/pcmC#D#c\x00', 0x5, 0x0)
getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(0xffffffffffffff9c, 0x84, 0x1a, &(0x7f0000000380)={<r4=>0x0, 0x8a, "4b2e148fb61698ac7d7d98ff50b82d98e77627d8ad6a455cca039b16818557797feb1937bb3fc57639650b2aa4ee598e3d05f64a0d52955821a55cfc60f10dec37bbed657c32bc977c243ba2c0e33715c4079c157c66251a12367dcc918a5b1354182d3554e6d016178015528f806cf22ea4e56cdbcbd588fac503354d944b0bda934972c3ee50eef18f"}, &(0x7f00000002c0)=0x92)
setsockopt$inet_sctp_SCTP_DELAYED_SACK(r3, 0x84, 0x10, &(0x7f0000000480)=@sack_info={r4, 0xb9f, 0x5}, 0xc)
lsetxattr$security_smack_transmute(&(0x7f00000000c0)='./file0\x00', &(0x7f0000000100)='security.SMACK64TRANSMUTE\x00', &(0x7f0000000140)='TRUE', 0x4, 0x2)
ioctl$FS_IOC_FIEMAP(r0, 0xc020660b, &(0x7f00000004c0)=ANY=[@ANYBLOB="0180ffffffffffff0300000000000000000000000000000100000000000000008000000000000005005980eefff0361bbbd9de9350240000000000000200000000000000000000000000000000000000000000008500800000004c7f80e4ab5123cff539eda9e28b643c97031afb6ca6a13b87acef608571b59422f15b2d6e"])
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})

15:42:39 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$sock_SIOCGPGRP(r0, 0x8904, &(0x7f0000000080)=<r3=>0x0)
perf_event_open(&(0x7f00000002c0)={0x5, 0x70, 0x6, 0x9, 0x0, 0x0, 0x0, 0x100000000, 0x82050, 0x1, 0xffffffffffff0001, 0x7f, 0x80, 0x3f, 0xffffffffffff8001, 0x8001, 0x2, 0x9, 0x1000, 0x0, 0x7, 0x4, 0x642, 0x800000000000, 0xfffffffffffffff9, 0x8, 0x8c9a, 0x5, 0x7ff, 0x8, 0x8, 0x2, 0x180, 0x100, 0x800, 0x8, 0x1, 0x0, 0x0, 0x9, 0x4, @perf_bp={&(0x7f0000000000), 0x8}, 0x6800, 0x80000001, 0x5, 0x7, 0xfffffffffffffff9, 0x1, 0x19}, r3, 0x9, 0xffffffffffffff9c, 0xb)
ioctl$KVM_ENABLE_CAP(r2, 0x4068aea3, &(0x7f0000000340)={0x74, 0x0, [0x8001, 0x2de7, 0x5, 0x7fff]})
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)
ioctl$KVM_SET_VAPIC_ADDR(r4, 0x4008ae93, &(0x7f0000000140)=0xf000)

[  386.252876][T19304] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  386.289557][T19309] binder: 19306:19309 got transaction to invalid handle
[  386.300972][T19310] binder: 19307:19310 got transaction to context manager from process owning it
[  386.366285][T19310] binder: BINDER_SET_CONTEXT_MGR already set
15:42:39 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7a02000000000000, 0x0)

[  386.423832][T19310] binder: 19307:19310 ioctl 40046207 0 returned -16
15:42:39 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:39 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0)
r2 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x40200, 0x0)
ioctl$KDGKBENT(r2, 0x4b46, &(0x7f0000000040)={0x3, 0x7, 0x7})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  386.527843][ T2597] binder: send failed reply for transaction 1808 to 19306:19309
15:42:39 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)

[  386.622830][T19525] binder: 19524:19525 got transaction to invalid handle
[  386.631455][T19529] binder: BINDER_SET_CONTEXT_MGR already set
[  386.660503][T19529] binder: 19527:19529 ioctl 40046207 0 returned -16
15:42:39 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fcntl$getownex(r0, 0x10, &(0x7f0000000000)={0x0, <r3=>0x0})
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000140)={0xffffffffffffffff, r2, 0x0, 0x6, &(0x7f0000000080)='wlan0\x00', <r4=>0xffffffffffffffff}, 0x30)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f00000002c0)={r3, r2, 0x0, 0x9, &(0x7f0000000040)='/dev/kvm\x00', r4}, 0x30)
r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)

15:42:39 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
setxattr$security_capability(&(0x7f0000000080)='./file0\x00', &(0x7f0000000140)='security.capability\x00', &(0x7f00000002c0)=@v2={0x2000000, [{0x9, 0x8}, {0x9, 0x5}]}, 0x14, 0x1)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$IOC_PR_CLEAR(r2, 0x401070cd, &(0x7f0000000000)={0xfffffffffffff941})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  386.678716][T19531] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  386.709894][T19556] binder_alloc: binder_alloc_mmap_handler: 19527 20001000-20004000 already mapped failed -16
15:42:39 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)

15:42:39 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:39 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x7c03000000000000, 0x0)

[  386.789833][T19529] binder: BINDER_SET_CONTEXT_MGR already set
[  386.844389][ T2597] binder: release 19524:19525 transaction 1813 out, still active
[  386.852918][ T2597] binder: send failed reply for transaction 1813, target dead
[  386.860427][ T2597] binder: send failed reply for transaction 1815 to 19527:19529
[  386.872835][T19529] binder: 19527:19529 ioctl 40046207 0 returned -16
[  386.899673][T19648] binder: 19645:19648 got transaction to invalid handle
[  386.922468][ T2597] binder: undelivered transaction 1818, process died.
[  386.936075][T19646] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
15:42:39 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="0100000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:39 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6c00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  387.009689][    T5] binder: send failed reply for transaction 1821 to 19645:19648
15:42:40 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8000000000000000, 0x0)

[  387.076366][T19776] binder: 19775:19776 got transaction with invalid offset (0, min 0 max 24) or object.
[  387.078555][T19786] binder: BINDER_SET_CONTEXT_MGR already set
[  387.099610][T19820] binder_alloc: binder_alloc_mmap_handler: 19775 20001000-20004000 already mapped failed -16
15:42:40 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
r5 = mmap$binder(&(0x7f000000c000/0x8000)=nil, 0x8000, 0x0, 0x12, r3, 0x0)
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000140)={0x70, 0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="08631040", @ANYRES64=r5, @ANYBLOB="020000000000000000634040030000000000000001000000000000000000000001000000000000000000000058000000000000000800000000000000", @ANYPTR64=&(0x7f00000002c0)=ANY=[@ANYBLOB="852a747000000000", @ANYPTR64=&(0x7f0000000000)=ANY=[@ANYBLOB='\x00'], @ANYBLOB="010000000000000000000000000000003c0000000000852a6466000000000000", @ANYRES32=r2, @ANYBLOB="000000000100000000000000852a646600000000", @ANYRES32=r1, @ANYBLOB="000000000300000000000000"], @ANYPTR64=&(0x7f0000000080)=ANY=[@ANYBLOB='@\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB="0f630c400200000000000000000000000b6300000c630000"], 0x7d, 0x0, &(0x7f00000003c0)="5137905f1c8f45c449906a529915c79132bd872098ab811a5e3c64ab4eb2358fa736b22284fa7cf0e58538f239255504982a537738040e7a6c53f5c56ff821197a257bb18baa70ff6e24c60d9e8dfd7999d4bd3898308e59e7439385730df901667a03e6e67ba5ab9c2e48f8d76804b7bfc80d64bf5d119c4167f9089d"})
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

[  387.141115][T19786] binder: 19785:19786 ioctl 40046207 0 returned -16
15:42:40 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x2000, &(0x7f000000a000/0x2000)=nil})
r3 = openat$cuse(0xffffffffffffff9c, &(0x7f0000000000)='/dev/cuse\x00', 0x2, 0x0)
read$FUSE(r3, &(0x7f0000002180), 0x1000)
write$FUSE_NOTIFY_POLL(r0, &(0x7f0000000080)={0x18}, 0x18)
write$FUSE_GETXATTR(r3, &(0x7f0000000040)={0x18, 0x0, 0x3}, 0x18)
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ftruncate(r0, 0x1)
ioctl$sock_bt_hidp_HIDPCONNDEL(r3, 0x400448c9, &(0x7f0000000140)={{0x6, 0x100000000, 0x8, 0x800, 0x7, 0x7fff}, 0x2e37})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  387.183099][T19776] binder: BINDER_SET_CONTEXT_MGR already set
[  387.192470][T19776] binder: 19775:19776 ioctl 40046207 0 returned -16
[  387.213075][T19880] binder_alloc: 19775: binder_alloc_buf, no vma
15:42:40 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)

[  387.235524][T19776] binder_alloc: 19775: binder_alloc_buf, no vma
15:42:40 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = socket$rxrpc(0x21, 0x2, 0xa)
ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f0000000040)={'team_slave_1\x00', 0x1})
r2 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r3 = dup2(r2, r2)
ioctl$sock_inet6_tcp_SIOCATMARK(r3, 0x8905, &(0x7f0000000000))
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=ANY=[@ANYBLOB="11634840000000000000000000000000000000000000000001000000000000000000000018000000000000000000000000000000", @ANYPTR64=&(0x7f0000000480)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB='\x00\x00\x00\x00'], 0x0, 0x0, 0x0})
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
openat$random(0xffffffffffffff9c, &(0x7f0000000080)='/dev/urandom\x00', 0x0, 0x0)

15:42:40 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  387.371305][T19975] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  387.402987][T19977] binder_alloc: 19976: binder_alloc_buf, no vma
15:42:40 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8001000000000000, 0x0)

[  387.446483][T19980] binder: BINDER_SET_CONTEXT_MGR already set
[  387.453242][T19977] binder: 19976:19977 ioctl 8905 20000000 returned -22
[  387.460869][T19980] binder: 19979:19980 ioctl 40046207 0 returned -16
15:42:40 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
write$vnet(r2, &(0x7f0000001440)={0x1, {&(0x7f0000000380)=""/4096, 0x1000, &(0x7f0000001380)=""/149, 0x3, 0x1}}, 0x68)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
r4 = syz_genetlink_get_family_id$nbd(&(0x7f0000000080)='nbd\x00')
sendmsg$NBD_CMD_DISCONNECT(r2, &(0x7f0000000340)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x2100}, 0xc, &(0x7f0000000140)={&(0x7f00000002c0)={0x5c, r4, 0x400, 0x70bd28, 0x25dfdbfd, {}, [@NBD_ATTR_SERVER_FLAGS={0xc}, @NBD_ATTR_TIMEOUT={0xc, 0x4, 0x1b8}, @NBD_ATTR_BLOCK_SIZE_BYTES={0xc, 0x3, 0x44f0f1ea}, @NBD_ATTR_TIMEOUT={0xc, 0x4, 0x30000000000000}, @NBD_ATTR_SERVER_FLAGS={0xc, 0x5, 0x1}, @NBD_ATTR_TIMEOUT={0xc, 0x4, 0xfffffffffffffff9}]}, 0x5c}, 0x1, 0x0, 0x0, 0x20004000}, 0x4040)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  387.488066][T19980] binder_alloc: 19976: binder_alloc_buf, no vma
[  387.521413][T19977] binder: BINDER_SET_CONTEXT_MGR already set
[  387.572136][T19977] binder: 19976:19977 ioctl 40046207 0 returned -16
[  387.588840][T20081] binder: BINDER_SET_CONTEXT_MGR already set
[  387.617979][T20081] binder: 19976:20081 ioctl 40046207 0 returned -16
[  387.688970][T20081] binder: 19976:20081 ioctl 8905 20000000 returned -22
[  387.703212][T19977] binder_alloc: 19976: binder_alloc_buf, no vma
15:42:40 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
fcntl$F_SET_RW_HINT(r2, 0x40c, &(0x7f0000000000)=0x1)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  387.736719][T20081] binder: BINDER_SET_CONTEXT_MGR already set
15:42:40 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x200, 0x0)
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

15:42:40 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7a00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  387.792880][T20081] binder: 19976:20081 ioctl 40046207 0 returned -16
15:42:40 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8096980000000000, 0x0)

[  387.853835][T20201] binder: 20200:20201 got transaction to invalid handle
[  387.898682][T20192] binder_alloc: 19976: binder_alloc_buf, no vma
15:42:40 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:40 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)

15:42:41 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x1000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  388.108708][   T12] binder: send failed reply for transaction 1833 to 20200:20201
[  388.155522][T20317] binder: 20316:20317 got transaction to context manager from process owning it
[  388.174094][T20319] binder: BINDER_SET_CONTEXT_MGR already set
[  388.187178][T20319] binder: 20318:20319 ioctl 40046207 0 returned -16
[  388.189235][T20314] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  388.222444][T20320] binder: 20316:20320 got transaction to context manager from process owning it
15:42:41 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x8cffffff00000000, 0x0)

[  388.264413][T20320] binder_alloc: binder_alloc_mmap_handler: 20316 20001000-20004000 already mapped failed -16
15:42:41 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x2000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  388.327565][T20317] binder_alloc: 20316: binder_alloc_buf, no vma
15:42:41 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$radio(&(0x7f0000000000)='/dev/radio#\x00', 0x0, 0x2)
getsockopt$sock_cred(r3, 0x1, 0x11, &(0x7f0000000080), &(0x7f0000000140)=0xc)
r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
getsockopt$inet_tcp_TCP_REPAIR_WINDOW(r1, 0x6, 0x1d, &(0x7f0000000740), &(0x7f0000000780)=0x14)
ioctl$EVIOCGBITSW(r4, 0x80404525, &(0x7f00000002c0)=""/133)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$VIDIOC_RESERVED(r4, 0x5601, 0x0)
write$binfmt_elf64(r2, &(0x7f0000000380)={{0x7f, 0x45, 0x4c, 0x46, 0x46e, 0x1, 0x2, 0xffffffff, 0xfffffffffffffbff, 0x2, 0x0, 0x30e9af14, 0x2ec, 0x40, 0x294, 0x82, 0x80, 0x38, 0x2, 0x3, 0x5, 0x1000}, [{0x60000000, 0x2a02, 0x4, 0xc9, 0xe591, 0x7, 0x1, 0x3}, {0x6474e553, 0x40, 0x13, 0xfffffffffffffffa, 0x3, 0x8001, 0x9f, 0x3}], "63849195", [[], [], []]}, 0x3b4)
ioctl$KVM_RUN(r5, 0xae80, 0x0)

15:42:41 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x802)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  388.428517][T20531] binder: 20529:20531 got transaction to invalid handle
15:42:41 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)

15:42:41 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
syncfs(r0)
r1 = openat$null(0xffffffffffffff9c, &(0x7f0000000040)='/dev/null\x00', 0x420000, 0x0)
r2 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000140)='IPVS\x00')
sendmsg$IPVS_CMD_GET_CONFIG(r1, &(0x7f0000000380)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x102000}, 0xc, &(0x7f0000000340)={&(0x7f00000002c0)={0x44, r2, 0x400, 0x70bd2d, 0x25dfdbfc, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x700}, @IPVS_CMD_ATTR_DEST={0xc, 0x2, [@IPVS_DEST_ATTR_ADDR_FAMILY={0x8, 0xb, 0xa}]}, @IPVS_CMD_ATTR_DEST={0x1c, 0x2, [@IPVS_DEST_ATTR_U_THRESH={0x8, 0x5, 0x3}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x2}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x5}]}]}, 0x44}, 0x1, 0x0, 0x0, 0x8000}, 0xc000)
r3 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r4 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0xc00)
r5 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$VIDIOC_EXPBUF(r4, 0xc0405610, &(0x7f0000000000)={0x6, 0x1, 0xfffffffffffffff9, 0x4000, 0xffffffffffffff9c})
ioctl$KVM_SET_REGS(r5, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r5, 0xae80, 0x0)

[  388.526598][T20579] binder: BINDER_SET_CONTEXT_MGR already set
[  388.549761][T20579] binder: 20564:20579 ioctl 40046207 0 returned -16
[  388.597760][T20643] binder_alloc: binder_alloc_mmap_handler: 20564 20001000-20004000 already mapped failed -16
[  388.610446][T20624] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
15:42:41 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xb803000000000000, 0x0)

15:42:41 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x3000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  388.640769][T26837] binder: send failed reply for transaction 1840 to 20529:20531
[  388.661773][T26837] binder: send failed reply for transaction 1842 to 20564:20643
[  388.667997][T20648] binder_alloc: 20564: binder_alloc_buf, no vma
[  388.712896][T26837] binder: undelivered transaction 1845, process died.
[  388.740910][T20643] binder_transaction: 17 callbacks suppressed
[  388.740927][T20643] binder: 20564:20643 transaction failed 29189/-3, size 24-0 line 3147
15:42:41 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)

[  388.782389][T20648] binder: 20564:20648 transaction failed 29189/-3, size 24-8 line 3147
15:42:41 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$pfkey(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/net/pfkey\x00', 0x800, 0x0)
ioctl$KDGKBSENT(r2, 0x4b48, &(0x7f0000000080)={0x1, 0x1ff00, 0xffffffffffff1f4d})
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$FS_IOC_GET_ENCRYPTION_POLICY(r3, 0x400c6615, &(0x7f0000000140))
ioctl$KVM_RUN(r4, 0xae80, 0x0)

15:42:41 executing program 3:
r0 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0xff00, 0x28800)
r1 = syz_open_dev$vbi(&(0x7f0000000040)='/dev/vbi#\x00', 0x0, 0x2)
r2 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dsp\x00', 0x620002, 0x0)
ioctl$sock_kcm_SIOCKCMATTACH(r0, 0x89e0, &(0x7f00000000c0)={r1, r2})
r3 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r4 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r4, 0x0)
bind$netlink(r1, &(0x7f0000000100)={0x10, 0x0, 0x25dfdbfe, 0x80002100}, 0xc)
socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$BINDER_SET_CONTEXT_MGR(r4, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  388.990408][T20665] binder: 20656:20665 got transaction to invalid handle
[  389.008077][T20664] binder: BINDER_SET_CONTEXT_MGR already set
[  389.010877][T20665] binder: 20656:20665 transaction failed 29201/-22, size 0-0 line 2994
15:42:41 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
fchmodat(r2, &(0x7f0000000080)='./file0\x00', 0x40)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='mountstats\x00')
ioctl$RTC_PLL_GET(r2, 0x801c7011, &(0x7f0000000140))
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  389.038340][T20664] binder: 20658:20664 ioctl 40046207 0 returned -16
15:42:42 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)

[  389.086359][T20736] binder_alloc: binder_alloc_mmap_handler: 20658 20001000-20004000 already mapped failed -16
15:42:42 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  389.139251][T26837] binder: release 20658:20664 transaction 1852 out, still active
[  389.156071][T26837] binder: unexpected work type, 4, not freed
[  389.185007][T26837] binder: undelivered transaction 1859, process died.
15:42:42 executing program 3:
r0 = accept4$inet6(0xffffffffffffff9c, &(0x7f0000000000)={0xa, 0x0, 0x0, @local}, &(0x7f0000000040)=0x1c, 0x80000)
getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(0xffffffffffffffff, 0x84, 0x1f, &(0x7f0000000080)={<r1=>0x0, @in6={{0xa, 0x4e23, 0x3, @empty, 0xf44e}}, 0x7ff0, 0xffff}, &(0x7f0000000140)=0x88)
setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f0000000380)={r1, @in={{0x2, 0x4e23, @empty}}, 0x10001, 0x7, 0x2, 0x800, 0x1}, 0x98)
r2 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r3 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="0063404000000000cc00000000040000000000000000000000000000180000000000000008000000000000000000000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB="070000008197ef2f"]], 0x0, 0x0, 0x0})
syz_open_dev$mouse(&(0x7f0000000180)='/dev/input/mouse#\x00', 0x9, 0x20000)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:42 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xca00000000000000, 0x0)

[  389.235511][T26837] binder: send failed reply for transaction 1850 to 20656:20665
[  389.278460][T20777] binder: 20776:20777 got transaction to invalid handle
[  389.285691][T26837] binder: send failed reply for transaction 1852, target dead
[  389.323604][T20777] binder: 20776:20777 transaction failed 29201/-22, size 0-0 line 2994
[  389.335954][T26837] binder: undelivered transaction 1855, process died.
[  389.350890][T26837] binder_release_work: 28 callbacks suppressed
[  389.350896][T26837] binder: undelivered TRANSACTION_ERROR: 29201
15:42:42 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)

[  389.377875][T26837] binder: undelivered TRANSACTION_ERROR: 29189
[  389.379652][T20797] binder: BINDER_SET_CONTEXT_MGR already set
15:42:42 executing program 5:
r0 = openat$autofs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/autofs\x00', 0x80000, 0x0)
ioctl$sock_inet_SIOCGARP(r0, 0x8954, &(0x7f00000002c0)={{0x2, 0x4e23, @multicast2}, {0x0, @remote}, 0x22, {0x2, 0x4e24, @broadcast}, 'bridge_slave_1\x00'})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  389.419455][T20797] binder: 20790:20797 ioctl 40046207 0 returned -16
[  389.422261][T26837] binder: undelivered TRANSACTION_ERROR: 29189
[  389.476177][T20797] binder_alloc: binder_alloc_mmap_handler: 20790 20001000-20004000 already mapped failed -16
[  389.502738][T20868] binder: BINDER_SET_CONTEXT_MGR already set
[  389.508809][T20868] binder: 20790:20868 ioctl 40046207 0 returned -16
[  389.515369][   T12] binder: undelivered transaction 1864, process died.
15:42:42 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x5000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:42 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000140)={'syz', 0x0}, 0x0, 0x0, 0xfffffffffffffffa)
add_key(&(0x7f0000000000)='blacklist\x00', &(0x7f0000000040)={'syz', 0x1}, &(0x7f00000002c0)="7380c658d54414f2bb12c471808027c64aac80dedc0b3aa74944ad670c0d2e65608557073d74474e5c0fbd35445b68c8104b71a2ad609ad0322d5b2cd704fe1fe4f1b8ee9fd7f21ed9eb714b8a74e3df504ac6775b486f6ec3690bac7c03d6607402e42cdee4", 0x66, r1)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  389.522985][   T12] binder_release_work: 16 callbacks suppressed
[  389.522990][   T12] binder: undelivered TRANSACTION_COMPLETE
[  389.530911][   T12] binder: undelivered TRANSACTION_ERROR: 29201
[  389.547724][   T12] binder: undelivered TRANSACTION_ERROR: 29189
15:42:42 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xd003000000000000, 0x0)

[  389.611676][ T2597] binder: undelivered TRANSACTION_COMPLETE
[  389.634432][T20979] binder: 20951:20979 got transaction to invalid handle
[  389.654571][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:42:42 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r2 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x2000, 0x0)
ioctl$BLKRAGET(r2, 0x1263, &(0x7f0000000040))
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=ANY=[@ANYBLOB="11634840000000000000000000000000000000000000000001000000000000000000000018000000000000000000000000000000", @ANYPTR64=&(0x7f0000000480)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYBLOB="00000000000000000010000000eaff00"], 0x0, 0x0, 0x0})
setsockopt$IP_VS_SO_SET_TIMEOUT(r2, 0x0, 0x48a, &(0x7f0000000080)={0x9, 0xfffffffffffffff8, 0xff}, 0xc)

[  389.667218][T20979] binder: 20951:20979 transaction failed 29201/-22, size 0-0 line 2994
[  389.682125][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
15:42:42 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
write$P9_RXATTRCREATE(r2, &(0x7f0000000000)={0x7, 0x21, 0x1}, 0x7)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
openat$dlm_plock(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm_plock\x00', 0x1, 0x0)
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:42 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)

[  389.779597][T21032] binder: BINDER_SET_CONTEXT_MGR already set
[  389.812235][T21032] binder: 21019:21032 ioctl 40046207 0 returned -16
[  389.895686][T21112] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  389.907461][T21032] binder: 21019:21032 transaction failed 29201/-28, size 24-0 line 3147
15:42:42 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  389.952704][   T12] binder: undelivered TRANSACTION_COMPLETE
[  389.958709][   T12] binder: undelivered TRANSACTION_ERROR: 29201
[  389.988470][   T12] binder: undelivered TRANSACTION_ERROR: 29189
15:42:42 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xea03000000000000, 0x0)

15:42:42 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
r1 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/sequencer\x00', 0x44200, 0x0)
epoll_ctl$EPOLL_CTL_DEL(r1, 0x2, r0)
openat$dsp(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dsp\x00', 0x8000, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(r1, 0x84, 0x1f, &(0x7f00000002c0)={<r3=>0x0, @in={{0x2, 0x4e24, @rand_addr=0x7fff}}, 0x5, 0x4}, &(0x7f0000000040)=0x88)
setsockopt$inet_sctp_SCTP_AUTH_KEY(r1, 0x84, 0x17, &(0x7f0000000380)={r3, 0x7, 0x58, "d4a8d12ee64d01a3b00fbeb04a534012e9cd9cb2e1c6be7ffbaf98cbf9e0104580c51f95cfeb21026bcc7cf69fc8d19a808da6eb8d2ae6f754ba23fa0b50ea4a8cf81909ced12b4d7ba9a303a63b72f9a39e1f7ca826ef11"}, 0x60)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x40000400, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(0xffffffffffffffff, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x9], 0x1efff, 0x10000})
ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0)

[  390.020039][T21120] binder_alloc: binder_alloc_mmap_handler: 21019 20001000-20004000 already mapped failed -16
15:42:43 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
bind$inet6(r2, &(0x7f0000000080)={0xa, 0x4e24, 0x8, @remote, 0x400}, 0x1c)
ioctl$KVM_SET_CPUID(r2, 0x4008ae8a, &(0x7f00000002c0)={0x4, 0x0, [{0xb, 0x8, 0x80, 0x4, 0x20}, {0x8000001f, 0x8, 0x5, 0x6b, 0x101}, {0x80000019, 0x8, 0xfffffffffffffc00, 0x2, 0xfffffffffffffff9}, {0xc0000001, 0x1, 0x200, 0x1000, 0x1f}]})
ioctl$KVM_SET_SREGS(r2, 0x4138ae84, &(0x7f0000000340)={{0xf000, 0x103000, 0x1c, 0x1, 0x8, 0x0, 0x5, 0x0, 0x2d5, 0x1, 0x8, 0x10000}, {0xf002, 0x0, 0xb, 0x1000, 0x60b, 0x8, 0x8, 0x1, 0xffff, 0x60, 0xbf, 0x81}, {0x4, 0x3000, 0xf, 0x23, 0x40, 0xfffffffffffffa89, 0x85d5, 0x7, 0x9, 0xa97, 0x9, 0x5}, {0x2, 0x5000, 0x14, 0x10001, 0x1ff, 0xfffffffffffffffa, 0x81, 0xffff, 0x8, 0xfffffffffffffffb, 0x72a0, 0x8}, {0x2, 0x103000, 0x1f, 0x8, 0x7, 0x8, 0x6768, 0x9, 0x200, 0x1, 0x9, 0x101}, {0x0, 0x1, 0x0, 0x20, 0x7, 0x7, 0xff, 0x400000, 0x72, 0x1f, 0x8, 0x3b04}, {0xd000, 0x1000, 0x0, 0x10001, 0x1000, 0x7, 0x1f, 0x100, 0x3, 0xd3c, 0x20, 0x6}, {0x4, 0x2, 0x10, 0x100000000, 0x2, 0x1000, 0x0, 0x3, 0x6, 0xfffffffffffffffd, 0x3, 0xfffffffffffffffe}, {0xd002, 0x3000}, {0x2, 0x5000}, 0x2, 0x0, 0xf000, 0x2000, 0xf, 0x800, 0x1000, [0x8, 0x9, 0x9, 0x1f]})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
getsockopt$EBT_SO_GET_INIT_INFO(r2, 0x0, 0x82, &(0x7f0000000480)={'broute\x00'}, &(0x7f0000000000)=0x50)

[  390.063177][T21173] binder: 21149:21173 got transaction to invalid handle
[  390.081862][T21120] binder: 21019:21120 transaction failed 29201/-28, size 24-0 line 3147
[  390.083127][ T2597] binder: undelivered TRANSACTION_COMPLETE
[  390.101557][T21173] binder: 21149:21173 transaction failed 29201/-22, size 0-0 line 2994
[  390.123199][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
[  390.129511][ T2597] binder: undelivered TRANSACTION_ERROR: 29201
[  390.145906][ T2597] binder: release 21019:21120 transaction 1875 out, still active
[  390.154253][ T2597] binder: unexpected work type, 4, not freed
[  390.160570][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:42:43 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
ioctl$int_in(r0, 0x0, &(0x7f0000000040)=0x1ff)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="852ab70800000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})
r2 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ubi_ctrl\x00', 0xc83, 0x0)
setsockopt$TIPC_MCAST_BROADCAST(r2, 0x10f, 0x85)
r3 = syz_open_dev$swradio(&(0x7f0000000000)='/dev/swradio#\x00', 0x1, 0x2)
ioctl$PERF_EVENT_IOC_REFRESH(r3, 0x2402, 0x9)
prctl$PR_CAPBSET_READ(0x17, 0xc)

15:42:43 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)

15:42:43 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  390.294092][T21343] binder: 21328:21343 ioctl 0 20000040 returned -22
[  390.310587][ T2597] binder: send failed reply for transaction 1875, target dead
[  390.318533][ T2597] binder: undelivered TRANSACTION_COMPLETE
15:42:43 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf603000000000000, 0x0)

15:42:43 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
r1 = syz_open_dev$swradio(&(0x7f0000000040)='/dev/swradio#\x00', 0x1, 0x2)
getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffff9c, 0x0, 0x11, &(0x7f00000002c0)={{{@in=@initdev, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r2=>0x0}}, {{@in6=@initdev}, 0x0, @in6=@empty}}, &(0x7f0000000140)=0xe8)
getgroups(0x3, &(0x7f00000003c0)=[0xffffffffffffffff, <r3=>0x0, 0xee01])
fchownat(r1, &(0x7f0000000080)='./file0\x00', r2, r3, 0x400)
r4 = syz_open_dev$sndpcmp(&(0x7f0000000000)='/dev/snd/pcmC#D#p\x00', 0x40, 0x8102)
ioctl$KDDISABIO(r4, 0x4b37)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r5, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
socket$inet6_tcp(0xa, 0x1, 0x0)
ioctl$KVM_RUN(r6, 0xae80, 0x0)
prctl$PR_SET_THP_DISABLE(0x29, 0x0)

[  390.389033][T21343] binder: 21328:21343 transaction failed 29189/-22, size 24-8 line 2994
[  390.414944][T21400] binder: 21399:21400 got transaction to invalid handle
[  390.460037][T21343] binder: 21328:21343 ioctl 0 20000040 returned -22
[  390.465691][T21400] binder: 21399:21400 transaction failed 29201/-22, size 0-0 line 2994
[  390.475953][T21367] binder: 21328:21367 got transaction with invalid offset (0, min 0 max 24) or object.
[  390.498428][   T12] binder: undelivered TRANSACTION_COMPLETE
15:42:43 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
r5 = socket$inet6_udplite(0xa, 0x2, 0x88)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000480)={<r6=>0xffffffffffffffff, r3, 0x0, 0x1, &(0x7f0000000440)='\x00'}, 0x30)
syz_open_procfs$namespace(r6, &(0x7f00000004c0)='ns/user\x00')
ioctl$KVM_RUN(r4, 0xae80, 0x0)
getsockopt$inet_sctp6_SCTP_RTOINFO(r3, 0x84, 0x0, &(0x7f0000000000)={<r7=>0x0, 0x1, 0x0, 0x1}, &(0x7f0000000080)=0x10)
ioctl$VIDIOC_S_AUDIO(r2, 0x40345622, &(0x7f0000000500)={0x5, "397b4e441b5dc7a82ee0cafd070294972127a3296e25e0e9f8a7bf393e668af1", 0x2, 0x1})
ioctl$VHOST_SET_LOG_BASE(r5, 0x4008af04, &(0x7f0000000340)=&(0x7f0000000300))
ioctl$EVIOCGVERSION(r3, 0x80044501, &(0x7f00000003c0)=""/80)
ioctl$DRM_IOCTL_SET_VERSION(r3, 0xc0106407, &(0x7f0000000380)={0x0, 0x7, 0xa6, 0x40})
getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r3, 0x84, 0x18, &(0x7f0000000140)={r7, 0x8}, &(0x7f00000002c0)=0x8)

[  390.505688][   T12] binder: undelivered TRANSACTION_COMPLETE
15:42:43 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)

15:42:43 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
fdatasync(r1)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:43 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xa000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  390.677727][T21571] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  390.694828][   T12] binder: undelivered transaction 1885, process died.
[  390.702005][   T12] binder_send_failed_reply: 6 callbacks suppressed
[  390.702014][   T12] binder: send failed reply for transaction 1881 to 21399:21400
[  390.721947][T21574] binder_alloc: binder_alloc_mmap_handler: 21572 20001000-20004000 already mapped failed -16
15:42:43 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf6ffffff00000000, 0x0)

[  390.768690][T21581] binder: BINDER_SET_CONTEXT_MGR already set
[  390.776677][   T12] binder: undelivered transaction 1883, process died.
[  390.805075][T21581] binder: 21580:21581 ioctl 40046207 0 returned -16
[  390.805796][   T12] binder: undelivered TRANSACTION_COMPLETE
15:42:43 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
fanotify_init(0x4, 0x181000)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x598fff, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
setsockopt$bt_BT_FLUSHABLE(r2, 0x112, 0x8, &(0x7f0000000000)=0xc59f, 0x4)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x10004, 0x0, 0x10000, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[  390.817690][T21573] binder: BINDER_SET_CONTEXT_MGR already set
[  390.834142][T21573] binder: 21572:21573 ioctl 40046207 0 returned -16
15:42:43 executing program 3:
ioctl$sock_kcm_SIOCKCMCLONE(0xffffffffffffff9c, 0x89e2, &(0x7f0000000000)={<r0=>0xffffffffffffffff})
ioctl$FS_IOC_SETFLAGS(r0, 0x40046602, &(0x7f0000000040)=0x6)
r1 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r2 = openat$cachefiles(0xffffffffffffff9c, &(0x7f0000000080)='/dev/cachefiles\x00', 0x40, 0x0)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f00000000c0)={0x30, 0x5, 0x0, {0x0, 0x5, 0x0, 0x1}}, 0x30)
r3 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r3, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000100)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="00000000752133aab000000000"], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000700), 0x0, 0x0, 0x0})

[  390.865455][   T12] binder: send failed reply for transaction 1887 to 21572:21573
[  390.878220][   T12] binder: undelivered transaction 1890, process died.
15:42:43 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
setsockopt$SO_RDS_TRANSPORT(r2, 0x114, 0x8, &(0x7f0000000000)=0xffffffffffffffff, 0x4)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:43 executing program 1:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)

15:42:43 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x20000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  391.025398][T21793] binder_alloc: binder_alloc_mmap_handler: 21763 20001000-20004000 already mapped failed -16
15:42:44 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
r4 = syz_genetlink_get_family_id$tipc(&(0x7f0000000040)='TIPC\x00')
sendmsg$TIPC_CMD_GET_NODES(r2, &(0x7f00000002c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x80000100}, 0xc, &(0x7f0000000140)={&(0x7f0000000080)={0x1c, r4, 0x200, 0x70bd28, 0x25dfdbff, {}, ["", "", "", "", "", "", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0x10}, 0x4000080)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  391.123131][T21800] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  391.132919][T21804] binder: BINDER_SET_CONTEXT_MGR already set
15:42:44 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xf9fdffff00000000, 0x0)

[  391.172614][T21804] binder: 21801:21804 ioctl 40046207 0 returned -16
[  391.180020][   T12] binder: send failed reply for transaction 1893 to 21763:21770
15:42:44 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r2 = open(&(0x7f0000000000)='./file0\x00', 0x0, 0x10)
ioctl$VIDIOC_S_PARM(r2, 0xc0cc5616, &(0x7f0000000040)={0xf, @output={0x1000, 0x1, {0x7f, 0x8}, 0x8000, 0x4}})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:44 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = syz_open_procfs(0x0, &(0x7f0000000000)='net/netfilter\x00')
ioctl$SNDRV_CTL_IOCTL_RAWMIDI_INFO(r1, 0xc10c5541, &(0x7f00000002c0)={0x7d1, 0x100000000, 0x0, 0x0, 0x0, [], [], [], 0x9, 0x5})
dup(r0)
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:44 executing program 1:
openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  391.335158][T21887] binder_alloc: binder_alloc_mmap_handler: 21866 20001000-20004000 already mapped failed -16
[  391.366538][T21881] binder: BINDER_SET_CONTEXT_MGR already set
15:42:44 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x48000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  391.378835][T21924] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  391.390732][T21881] binder: 21866:21881 ioctl 40046207 0 returned -16
15:42:44 executing program 1:
openat$kvm(0xffffffffffffff9c, &(0x7f0000000440)='/dev/kvm\x00', 0x4000000a, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  391.442951][T21927] binder_alloc_new_buf_locked: 2 callbacks suppressed
[  391.442959][T21927] binder_alloc: 21866: binder_alloc_buf, no vma
[  391.470195][T21931] binder: BINDER_SET_CONTEXT_MGR already set
15:42:44 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfeffffff00000000, 0x0)

[  391.507533][   T12] binder: release 21866:21881 transaction 1898 out, still active
[  391.515782][T21887] binder_alloc: 21866: binder_alloc_buf, no vma
[  391.523150][T21931] binder: 21930:21931 ioctl 40046207 0 returned -16
[  391.532145][   T12] binder: unexpected work type, 4, not freed
[  391.542922][   T12] binder: send failed reply for transaction 1898, target dead
15:42:44 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$vim2m(0xffffffffffffff9c, &(0x7f0000000000)='/dev/video35\x00', 0x2, 0x0)
ioctl$VIDIOC_G_TUNER(r2, 0xc054561d, &(0x7f0000000040)={0x7f, "56ab02eed99731daf2fe45a6e09ae20164171fbc3f14b197d734e5c72324b61a", 0x4, 0x200, 0xef9, 0x6, 0x14, 0x2, 0x3ff, 0x1})
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:44 executing program 3:
r0 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0x5, 0x80000)
timerfd_gettime(r0, &(0x7f0000000040))
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BLKFRASET(r0, 0x1264, &(0x7f0000000080)=0x9)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})
ioctl$SCSI_IOCTL_SYNC(r1, 0x4)
ioctl$VIDIOC_S_FREQUENCY(r0, 0x402c5639, &(0x7f00000000c0)={0x3ff, 0x5, 0x2})

[  391.594158][T21957] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  391.605359][   T12] binder: undelivered transaction 1901, process died.
15:42:44 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4c000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:44 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x101800, 0x0)
getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000002c0)={{{@in6=@ipv4={[], [], @multicast1}, @in6=@empty, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, <r3=>0x0}}, {{@in=@dev}, 0x0, @in=@local}}, &(0x7f0000000080)=0xe8)
lstat(&(0x7f0000000140)='./file0\x00', &(0x7f00000003c0)={0x0, 0x0, 0x0, 0x0, <r4=>0x0, <r5=>0x0})
getresuid(&(0x7f0000000440)=<r6=>0x0, &(0x7f0000000480)=<r7=>0x0, &(0x7f00000004c0)=<r8=>0x0)
getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000000580)={{{@in6, @in=@broadcast}}, {{@in6=@empty}, 0x0, @in=@remote}}, &(0x7f0000000680)=0xe8)
write$P9_RSTATu(r2, &(0x7f0000000500)={0x71, 0x7d, 0x2, {{0x0, 0x54, 0x80, 0x3, {0x80, 0x0, 0x1}, 0x100000, 0x1, 0x20, 0x3, 0xe, 'selinuxvmnet0$', 0x0, '', 0x6, 'wlan0\x8e', 0xd, 'vboxnet0bdev('}, 0x8, '{,vmnet0', r3, r5, r8}}, 0x71)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x2, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x40000000}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
dup2(r2, r1)
ioctl$VIDIOC_G_AUDIO(r2, 0x80345621, &(0x7f00000006c0))
r9 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(0xffffffffffffffff, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
ioctl$KVM_RUN(0xffffffffffffffff, 0xae80, 0x0)
write$FUSE_DIRENTPLUS(r9, &(0x7f0000000a80)=ANY=[@ANYBLOB="a002000000000000080000000000000004000000000000000000000000000000ff0f0000000000000000000000000000000000000800000001000000000000005e00000000000000010000000000000009000000000000003f0000000000000007000000000000000200000003000000040000000008000006000000", @ANYRES32=r7, @ANYRES32=r5, @ANYBLOB="070000000000010000000000000000000100000000000800000000000600000000000000776c616e308e00000500000000000000030000000000000001010000000000004000000000000000080000000900000002000000000000004200000000000000d7000000000000000900000000000000060000000000000004000000000000000100000000000000000000f80000000000000000", @ANYRES32=r8, @ANYRES32=r5, @ANYBLOB="04000000ff03000000000000020000000000000003000000000000000b000000040000002f6465762f6d69786572000000000000010000000000000003000000000000000100000000000000080000000000000001010000fdffffff0000000000000000030000000000000001000000010000000002000000000000ff0700000000000009000000000000000000000000000080070000000900000002000000", @ANYRES32=r6, @ANYRES32=r5, @ANYBLOB="0500000001000000000000000600000000000000ff0100000000000004000000080000007d252b2900000000040000000000000000000000000000000000000000000000feffffffffffffff0100008007000000010000000000000000000000000000000800000000000000001000000000000003000000000000000100000000000000ff010000080000000200000004000000ff7f0000", @ANYRES32=r4, @ANYRES32=r5, @ANYBLOB="0600b49e490001000000000000000003000000000000000733000000f2ff0009000000c90200002f6465762f6b766d0000000000000000a19cba913f5a0f78baad99c5696cc70ed872117edafbf43ff9237df6824700b22af46eb14b2ac2e14fc81b233dee60d50ffd0b718037f685d34c9b47df953a421db8f3eb6754462932f533995b128ec1ca8ee03b374b77221675446a3819efe0a2090f0b1887babbc04aa1bf509c378ba02cf508f3c68e9d68a3c12a0a94e03c75c2fa7fe090155d682879e18aa4b7985aaec8b415011f47b0b15dac2f3679130f7f2d109b8d7298e87415e819664d87eead30580dd37dacbe9c439aeceb377ff481f84d55e2431e02bc07b1353574d54e10b7445f05687be45312b5d672df6ce2247f27ea6c239eba9e"], 0x2a0)

15:42:44 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  391.749181][T22051] binder: 22050:22051 got transaction to invalid handle
15:42:44 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=ANY=[@ANYBLOB="11634840000000000000000000000000000000000000000001000000000000000000000018000000000000000000000000000000", @ANYPTR64=&(0x7f0000000000)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="000009ccec743482dbbcd9000000000000"], @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], 0x0, 0x0, 0x0})
r2 = syz_open_dev$amidi(&(0x7f0000000040)='/dev/amidi#\x00', 0x7e7, 0x400)
epoll_ctl$EPOLL_CTL_MOD(r2, 0x3, r0, &(0x7f00000000c0)={0x2})
ioctl$UI_END_FF_ERASE(r2, 0x400c55cb, &(0x7f0000000080)={0x7, 0x0, 0xf93a})

15:42:44 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffff7f00000000, 0x0)

15:42:44 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x60000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:44 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, &(0x7f0000000040)='./file0\x00', 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
r5 = socket$inet6_udplite(0xa, 0x2, 0x88)
bpf$BPF_TASK_FD_QUERY(0x14, &(0x7f0000000480)={<r6=>0xffffffffffffffff, r3, 0x0, 0x1, &(0x7f0000000440)='\x00'}, 0x30)
syz_open_procfs$namespace(r6, &(0x7f00000004c0)='ns/user\x00')
ioctl$KVM_RUN(r4, 0xae80, 0x0)
getsockopt$inet_sctp6_SCTP_RTOINFO(r3, 0x84, 0x0, &(0x7f0000000000)={<r7=>0x0, 0x1, 0x0, 0x1}, &(0x7f0000000080)=0x10)
ioctl$VIDIOC_S_AUDIO(r2, 0x40345622, &(0x7f0000000500)={0x5, "397b4e441b5dc7a82ee0cafd070294972127a3296e25e0e9f8a7bf393e668af1", 0x2, 0x1})
ioctl$VHOST_SET_LOG_BASE(r5, 0x4008af04, &(0x7f0000000340)=&(0x7f0000000300))
ioctl$EVIOCGVERSION(r3, 0x80044501, &(0x7f00000003c0)=""/80)
ioctl$DRM_IOCTL_SET_VERSION(r3, 0xc0106407, &(0x7f0000000380)={0x0, 0x7, 0xa6, 0x40})
getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(r3, 0x84, 0x18, &(0x7f0000000140)={r7, 0x8}, &(0x7f00000002c0)=0x8)

[  391.960359][T22215] binder: BINDER_SET_CONTEXT_MGR already set
[  391.994537][T22215] binder: 22213:22215 ioctl 40046207 0 returned -16
[  391.994624][   T12] binder: send failed reply for transaction 1905 to 22050:22051
15:42:45 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  392.045471][T22270] binder_alloc: binder_alloc_mmap_handler: 22213 20001000-20004000 already mapped failed -16
[  392.082728][T22270] binder_alloc: 22213: binder_alloc_buf, no vma
15:42:45 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
lstat(&(0x7f0000000040)='./file0\x00', &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, <r3=>0x0})
fchownat(r2, 0x0, 0x0, r3, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$sock_inet6_tcp_SIOCOUTQ(r2, 0x5411, &(0x7f0000000140))
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)

[  392.098758][T22215] binder_alloc: 22213: binder_alloc_buf, no vma
[  392.114970][T22274] binder: 22271:22274 got transaction to invalid handle
15:42:45 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})
r2 = syz_open_dev$usb(&(0x7f0000000000)='/dev/bus/usb/00#/00#\x00', 0x80000000, 0x0)
ioctl$KVM_SET_TSC_KHZ(r2, 0xaea2, 0xffff)

[  392.150840][T22279] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
15:42:45 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xffffffff00000000, 0x0)

[  392.257558][T22378] binder: BINDER_SET_CONTEXT_MGR already set
15:42:45 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x68000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  392.336107][T22378] binder: 22377:22378 ioctl 40046207 0 returned -16
[  392.349338][T26837] binder: send failed reply for transaction 1913 to 22271:22274
[  392.377913][T26837] binder: send failed reply for transaction 1915 to 22377:22458
15:42:45 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  392.419853][T22458] binder_alloc: binder_alloc_mmap_handler: 22377 20001000-20004000 already mapped failed -16
[  392.424338][T26837] binder: undelivered transaction 1918, process died.
[  392.455109][T22494] binder_alloc: 22377: binder_alloc_buf, no vma
[  392.473702][T22493] binder: BINDER_SET_CONTEXT_MGR already set
[  392.494644][T22497] netlink: 'syz-executor.1': attribute type 1 has an invalid length.
[  392.503576][T22493] binder: 22492:22493 ioctl 40046207 0 returned -16
[  392.510991][T22378] binder_alloc: 22377: binder_alloc_buf, no vma
15:42:45 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
r2 = openat$ashmem(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ashmem\x00', 0x180, 0x0)
ioctl$ASHMEM_GET_NAME(r2, 0x81007702, &(0x7f0000000100)=""/71)
r3 = syz_open_dev$audion(&(0x7f0000000000)='/dev/audio#\x00', 0x1ff, 0x200000)
write$P9_RREADDIR(r3, &(0x7f0000000040)={0x68, 0x29, 0x1, {0x22e1, [{{0x2c, 0x4, 0x5}, 0x7ff, 0x5, 0x7, './file0'}, {{0x2, 0x1, 0x1}, 0x6, 0x6, 0x7, './file0'}, {{0x0, 0x4, 0x8}, 0x2ac0, 0x2, 0x7, './file0'}]}}, 0x68)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

15:42:45 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  392.617609][T22546] binder_alloc: binder_alloc_mmap_handler: 22540 20001000-20004000 already mapped failed -16
15:42:45 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0xfffffffffffff000, 0x0)

15:42:45 executing program 5:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
r2 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ppp\x00', 0x0, 0x0)
syz_genetlink_get_family_id$SEG6(&(0x7f0000000140)='SEG6\x00')
ioctl$PPPIOCATTACH(r2, 0x4004743d, &(0x7f0000000080)=0x1)
r3 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r4, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000})
ioctl$KVM_RUN(r4, 0xae80, 0x0)
ioctl$TIOCMBIS(r3, 0x5416, &(0x7f00000002c0))

[  392.668430][T22542] binder: BINDER_SET_CONTEXT_MGR already set
15:42:45 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  392.745570][T22542] binder: 22540:22542 ioctl 40046207 0 returned -16
[  392.752999][T22610] binder_alloc: 22540: binder_alloc_buf, no vma
15:42:45 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6c000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:45 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000)='/dev/kvm\x00', 0x1000000000, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_GET_CPUID2(r2, 0xc008ae91, &(0x7f00000002c0)={0x5, 0x0, [{}, {}, {}, {}, {}]})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
r4 = add_key(&(0x7f0000000040)='.dead\x00', &(0x7f0000000080)={'syz', 0x1}, &(0x7f00000003c0)="6ae29673918ba1f5ea8cbe8a719bacd64ca4fb3ebf38b10dc7e33aba7ac5f8749d35fdef7432431e71f1d8a926f17d6fdc1b249dc82fdd4ac8d4870d80ea2f90ae71f27fb59ab6862f954b8627f76b7d2a97753eb06dc9da045a6c7fdb443a203ab18976486cf4b3fc8a84b4c974b9c3ea933084a8c8c20d238a4a4e6ecc1a1c0c79c9fbfb5a19f0956f5a44e980b4f4", 0x90, 0xfffffffffffffff8)
keyctl$KEYCTL_PKEY_VERIFY(0x1c, &(0x7f00000000c0)={r4, 0x62a}, &(0x7f0000000480)={'enc=', 'pkcs1', ' hash=', {'md4\x00'}}, &(0x7f0000000140)="b407488001244424df7df2e892cacb3c4003c7e2", &(0x7f0000000500)="3ebbb09968b4468cec47766c893e3124ec9ec4ecf366d44635d5cb368cc29f93b4416bdb21b0d24c088bd2b15bbbd2fcbf1c965e633d01f5d51c7bbf031416f4068c9daee6be7f12adcfd486170d2f8818b6aa1563633fa04eecdadd91a3b6195fcf4d98900988b8452c424ffcebfab55aef8eb21dbdb15ee41d6b0008fd5a3bdec9907632325742631754517586fe938ee2cc37a70ec1e3dcb074db3f595188d0d30c2bb9f88a2adb50a31fc0c1c2ed9fe051af82cdfcef1f1fbcb2c42a615e9bc607b4")

[  392.788661][T22546] binder_alloc: 22540: binder_alloc_buf, no vma
[  392.812483][    T5] binder: release 22540:22542 transaction 1923 out, still active
15:42:45 executing program 2:
r0 = syz_open_dev$mice(&(0x7f0000000040)='/dev/input/mice\x00', 0x0, 0x60840)
sendmsg$nl_crypto(r0, &(0x7f0000000280)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4202402}, 0xc, &(0x7f0000000240)={&(0x7f00000000c0)=@alg={0x108, 0x10, 0x100, 0x70bd2d, 0x25dfdbfb, {{'ctr-camellia-aesni\x00'}, [], [], 0x2400, 0x2400}, [{0x8, 0x1, 0xff}, {0x8, 0x1, 0x547}, {0x8, 0x1, 0x84}, {0x8, 0x1, 0x7}, {0x8, 0x1, 0x5}]}, 0x108}, 0x1, 0x0, 0x0, 0x20004010}, 0x4004051)
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=ANY=[], &(0x7f0000000200)='./file0\x00', &(0x7f0000000000)='c\x00\x00\x06\x00', 0x0, 0x0)
sendto(r0, &(0x7f0000000380)="5e23f4a6a8ccadbcba6ca6170c090f04f57df5f7657ffd6fd2aa5be862085160f695e161a7e730c80ed6b6374d54b7aeb8653308f0cca83d7b555056c0b69c4f60948c187a14ccfcd2fde96940b4318d313f6870cbaf2a0940f9de7a561fd78e77e5ecfc4332298b8f910ff5dbca7a9d1ed45fd7090d7b262cafb53482bd1b6d76c0bc607b274d5c1f859789511a8e64f44c6aea8964fa89c9798d25308d47d219febcaaf25698dbf330406290e85069487913978f3d1ab4e86d5447f9e6cd651bedeff26fe9d53bcca23e1b3c72140c59db419ae92f66695647bd64c5f0a314", 0xe0, 0x1, 0x0, 0x0)

[  392.835641][    T5] binder: unexpected work type, 4, not freed
[  392.841807][    T5] binder: send failed reply for transaction 1923, target dead
15:42:45 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
syz_open_dev$binder(&(0x7f0000000000)='/dev/binder#\x00', 0x0, 0x8986c1dc7fa3a8e9)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  392.922774][    T5] binder: undelivered transaction 1926, process died.
[  392.923770][T22625] binder: 22622:22625 got transaction to invalid handle
15:42:45 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  393.001593][T22630] binder: BINDER_SET_CONTEXT_MGR already set
[  393.041057][T22630] binder: 22628:22630 ioctl 40046207 0 returned -16
15:42:46 executing program 2:
clock_gettime(0x1, &(0x7f0000000300)={<r0=>0x0, <r1=>0x0})
utimes(&(0x7f0000000000)='./file0\x00', &(0x7f00000000c0)={{}, {r0, r1/1000+30000}})
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000140)='/dev/sequencer\x00', 0x80, 0x0)
r3 = syz_genetlink_get_family_id$tipc(&(0x7f00000001c0)='TIPC\x00')
sendmsg$TIPC_CMD_SHOW_NAME_TABLE(r2, &(0x7f00000002c0)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x1080}, 0xc, &(0x7f0000000280)={&(0x7f0000000240)={0x30, r3, 0x1, 0x70bd2c, 0x25dfdbfd, {{}, 0x0, 0x5, 0x0, {0x14, 0x19, {0x2, 0x3f, 0x3, 0x4}}}, [""]}, 0x30}, 0x1, 0x0, 0x0, 0x4080}, 0x40004)
mount(&(0x7f0000000080)=ANY=[@ANYBLOB="5b643a3a5d3a2f6c6c623aff0e1214ac6efe3c01a89bc77c89079f191a8fb9a0bf5bf2850b53bf12fc512ded4167be200b899292219649d3380654b5"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
socket$nl_route(0x10, 0x3, 0x0)

15:42:46 executing program 5:
r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91)
ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={<r5=>0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100)
getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10)
r6 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r7 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
r8 = creat(&(0x7f0000000200)='./file0\x00', 0x40)
setsockopt$inet6_udp_encap(r8, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r7, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000})
r9 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0)
ioctl$KVM_HAS_DEVICE_ATTR(r8, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1})
openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0)
ioctl$KVM_RUN(r7, 0xae80, 0x0)
ioctl$KVM_SET_XCRS(r8, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]})
ioctl$EVIOCGBITSW(r2, 0x80404525, &(0x7f00000004c0)=""/162)
ioctl$CAPI_GET_MANUFACTURER(r6, 0xc0044306, &(0x7f0000000480)=0xac)
flistxattr(r9, &(0x7f0000000640)=""/46, 0x2e)

15:42:46 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  393.095510][T22707] binder: BINDER_SET_CONTEXT_MGR already set
[  393.121504][T22707] binder: 22628:22707 ioctl 40046207 0 returned -16
15:42:46 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
accept4(r2, &(0x7f0000000400)=@pppol2tpin6, &(0x7f0000000000)=0x80, 0xa9adb2af4651e89)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)
timer_create(0x7, &(0x7f0000000040)={0x0, 0x33, 0x1, @thr={&(0x7f0000000000), &(0x7f00000002c0)="e27c68a2691e635605b4ff19cfb7d1e4d0f8f1c8ff175b8a801d48f852ac18c55d6f3818ced97b1d95da4af53889770be0a25acfa47853342ef829c2d0952eeb6b667b89ac9ed0d6336a7715c341131a427235cc13c656e932bc4a5b874f2eb80fa2d3f937d537f0a22fdd5c24d5de75de43986fcc2e2fdf803e66f29e37ab82f41e191aef770fbff568a4c953c0dc8d137870f8f900420b75b135a736bcdce722b894930617d8a34b546b99f38137e8e8178a3483cc59f5327f5d8fb3fd19d77e198939dd9aef65737250234fedd91db035f431bd5143872bf3ee6c8ffbd7d761f3913ce58edc3b10"}}, &(0x7f0000000080)=<r4=>0x0)
timer_settime(r4, 0x0, &(0x7f0000000140)={{0x77359400}}, &(0x7f00000003c0))

15:42:46 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x74000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  393.176132][    T5] binder: release 22628:22630 transaction 1932 out, still active
[  393.201607][    T5] binder: unexpected work type, 4, not freed
[  393.207138][T22747] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.5'.
15:42:46 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

15:42:46 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=ANY=[@ANYBLOB="11634840000000000000000000000000000000000000000001000000000000000000000018000000000000000000000000000000", @ANYPTR64=&(0x7f0000000480)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="0000000000000001"], @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], 0x0, 0x0, 0x0})
r2 = syz_open_dev$usbmon(&(0x7f0000000000)='/dev/usbmon#\x00', 0x8a, 0x101000)
fcntl$setpipe(r1, 0x407, 0x9)
getsockopt$inet_sctp_SCTP_GET_LOCAL_ADDRS(r0, 0x84, 0x6d, &(0x7f00000004c0)=ANY=[@ANYRES32=<r3=>0x0, @ANYBLOB="1c000000d27ba46ff75ed0846f12e642daeb33cd72db45136634903ee7c1bc827805f476c6bdf8384caaee0e3effbfbcd55f9beb544a77e657e013d29f5d199bd1ada436781b41752329031f00e4c404cb481f55811fe74333e651bef41b46dba504c3ca133923949329d2b90d3a0335b51f10c409660e3b33de9cb5aab7aa4df8c2c33c735afe06920a4776d18d1cdf87fc771cc07ee54b7de1072664f8efa09c45ba564632c536c4530c86e288d0c1a6bc810b7438952c5be2c517fe203dc33b929cd6eb2dc0bc3418142dd639353b973b56f908c7f850624b57f8fcd6435413e2e5d609753a1082f4276c025994edaa75b80d2ee489151b1a2ce0f6077e8360e702b5f2c49d9d4c534b072c29e20d752c2142b6528c416b"], &(0x7f0000000080)=0x24)
openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup.cpu/syz0\x00', 0x200002, 0x0)
getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r2, 0x84, 0xa, &(0x7f00000000c0)={0x100, 0xffffffffffffff7f, 0x4, 0xff, 0x0, 0x5, 0x7fff, 0x16c9, r3}, &(0x7f0000000100)=0x20)

[  393.234290][    T5] binder: undelivered transaction 1939, process died.
[  393.259261][    T5] binder: send failed reply for transaction 1930 to 22622:22625
[  393.286133][T22754] binder: 22752:22754 got transaction to invalid handle
[  393.306610][    T5] binder: send failed reply for transaction 1932, target dead
15:42:46 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, 0x0, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  393.359705][    T5] binder: undelivered transaction 1935, process died.
[  393.370645][    T5] binder: send failed reply for transaction 1936 to 22628:22630
[  393.378705][T22770] binder: BINDER_SET_CONTEXT_MGR already set
[  393.385267][T22770] binder: 22769:22770 ioctl 40046207 0 returned -16
15:42:46 executing program 5:
r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91)
ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={<r5=>0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100)
getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10)
r6 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r7 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
r8 = creat(&(0x7f0000000200)='./file0\x00', 0x40)
setsockopt$inet6_udp_encap(r8, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r7, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000})
r9 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0)
ioctl$KVM_HAS_DEVICE_ATTR(r8, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1})
openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0)
ioctl$KVM_RUN(r7, 0xae80, 0x0)
ioctl$KVM_SET_XCRS(r8, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]})
ioctl$EVIOCGBITSW(r2, 0x80404525, &(0x7f00000004c0)=""/162)
ioctl$CAPI_GET_MANUFACTURER(r6, 0xc0044306, &(0x7f0000000480)=0xac)
flistxattr(r9, &(0x7f0000000640)=""/46, 0x2e)

15:42:46 executing program 2:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='cpu.stat\x00', 0x0, 0x0)
ioctl$LOOP_CTL_GET_FREE(r0, 0x4c82)
r1 = openat$dlm_control(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm-control\x00', 0x0, 0x0)
ioctl$SNDRV_TIMER_IOCTL_NEXT_DEVICE(r1, 0xc0145401, &(0x7f0000000080)={0x0, 0x3, 0x8000, 0x1})
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000140)=ANY=[@ANYBLOB="5b643a3a5d3a2f6c6c623affabe9be69345821654a7cddea1f5fa888c7c0dab83a19757e15ee44a404e2c919942320107c6809000000000000000817672a7bc339265b048456dda9277988fb1facb8847ce54d5bfce592fee93722295ef4b8104d71a09f0e8257b892931c1484b80c91628bcc5853b48bf881d7f2372a5a4aa71ca00e09656e6a400cbfe8a90fd772fdc45fc1b2711a650d64941d624f83f74597dd555167e4714e77b60000000000000000000000005cadc51839d575"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  393.475031][T22817] binder_alloc: binder_alloc_mmap_handler: 22769 20001000-20004000 already mapped failed -16
15:42:46 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7a000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:46 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000000080)='/dev/binder#\x00', 0x0, 0x802)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  393.559453][ T7807] binder: release 22769:22770 transaction 1947 out, still active
[  393.582123][T22875] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.5'.
[  393.593528][ T7807] binder: unexpected work type, 4, not freed
15:42:46 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  393.636620][ T7807] binder: undelivered transaction 1950, process died.
[  393.673992][ T7807] binder: send failed reply for transaction 1941 to 22752:22754
[  393.682685][T22885] binder: 22882:22885 got transaction to invalid handle
[  393.707912][ T7807] binder: send failed reply for transaction 1943 to 22769:22817
[  393.718833][T22891] binder_alloc: binder_alloc_mmap_handler: 22886 20001000-20004000 already mapped failed -16
[  393.730301][ T7807] binder: undelivered transaction 1946, process died.
[  393.741966][ T7807] binder: send failed reply for transaction 1947, target dead
[  393.750610][T22889] binder: BINDER_SET_CONTEXT_MGR already set
15:42:46 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  393.759449][T22889] binder: 22886:22889 ioctl 40046207 0 returned -16
[  393.797587][ T7807] binder: undelivered transaction 1958, process died.
15:42:46 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$TIOCNXCL(r2, 0x540d)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

15:42:46 executing program 5:
r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91)
ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={<r5=>0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100)
getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10)
r6 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r7 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
r8 = creat(&(0x7f0000000200)='./file0\x00', 0x40)
setsockopt$inet6_udp_encap(r8, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r7, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000})
r9 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0)
ioctl$KVM_HAS_DEVICE_ATTR(r8, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1})
openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0)
ioctl$KVM_RUN(r7, 0xae80, 0x0)
ioctl$KVM_SET_XCRS(r8, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]})
ioctl$EVIOCGBITSW(r2, 0x80404525, &(0x7f00000004c0)=""/162)
ioctl$CAPI_GET_MANUFACTURER(r6, 0xc0044306, &(0x7f0000000480)=0xac)
flistxattr(r9, &(0x7f0000000640)=""/46, 0x2e)

[  393.819450][T22891] binder_transaction: 18 callbacks suppressed
[  393.819467][T22891] binder: 22886:22891 transaction failed 29189/-22, size 24-8 line 2994
15:42:46 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000100)='/proc/sys/net/ipv4/vs/schedule_icmp\x00', 0x2, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r0, 0x10e, 0x7, &(0x7f0000000140)={0x8, 0x3, 0xfffffffffffffffd, 0x9}, 0x10)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000000)='ceph\x00', 0x2000, 0x0)
mount(&(0x7f0000000180)=ANY=[@ANYBLOB="2f6465f600000000703000"], &(0x7f00000001c0)='./file0\x00', &(0x7f0000000240)='bfs\x00', 0x1, &(0x7f0000000280)='ppp1system^\xb1-}mime_typelo\'(&\x00')
symlink(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)='./file0\x00')

15:42:46 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xfdfdffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:46 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  393.911470][T22998] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.5'.
15:42:46 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="ff4723f0ad73e67b"], @ANYPTR64=&(0x7f0000000240)=ANY=[@ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00']], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})
r2 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000040)='/dev/btrfs-control\x00', 0x80000, 0x0)
ioctl$EVIOCGMASK(r2, 0x80104592, &(0x7f0000000080)={0x15, 0x84, &(0x7f0000000140)="ca8d128362a70e26ea333cb3f7ec833c3703fbb4069b52bd6eadd7ecbc516b240ac45a042cd3950a28562f1537efc7bec1a3ab7792c2e25bebd37f9246c1fed7739602fba8bd43df80fe40ecc462d0bb084fd20cfeb7b3cbb07524aa025053bad5bc181452afa29991698fa89e73b101c355eb9e114196ce59813f6bf0cd946d23914a17"})
r3 = openat$vcs(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vcs\x00', 0x448002, 0x0)
setsockopt$inet6_tcp_TCP_CONGESTION(r3, 0x6, 0xd, &(0x7f0000000100)='illinois\x00', 0x9)
ioctl$KVM_S390_VCPU_FAULT(r3, 0x4004ae52, &(0x7f0000000000)=0x4)

[  393.991822][T23007] binder: 23005:23007 got transaction to invalid handle
15:42:47 executing program 2:
setxattr$security_ima(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='security.ima\x00', &(0x7f0000000140)=@v2={0x7, 0x1, 0x3, 0x7fffffff, 0x5a, "2a5946fe9d02273823c943c6209977e1b35c1a410e6efca0ac47a30d4950a64bfafd83df29505f6f71ae63668efda63735d771866b9cbb1ce3da157e3fc44499ed98359c2140f97dc32132729f39d8d0a45d2e1e9245b8c6a6a0"}, 0x64, 0x2)
r0 = socket(0x5, 0x6, 0x100)
getsockopt$inet_sctp6_SCTP_AUTH_ACTIVE_KEY(0xffffffffffffffff, 0x84, 0x18, &(0x7f00000000c0)={<r1=>0x0, 0x6}, &(0x7f00000001c0)=0x8)
setsockopt$inet_sctp6_SCTP_CONTEXT(r0, 0x84, 0x11, &(0x7f0000000240)={r1, 0x6619}, 0x8)
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
getsockopt$inet_sctp6_SCTP_RESET_STREAMS(r0, 0x84, 0x77, &(0x7f0000000280)={r1, 0x8, 0x2, [0x4, 0x7]}, &(0x7f00000002c0)=0xc)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

15:42:47 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={0x0}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  394.041187][T23007] binder: 23005:23007 transaction failed 29201/-22, size 0-0 line 2994
[  394.046519][T23015] binder: BINDER_SET_CONTEXT_MGR already set
[  394.128472][T23015] binder: 23014:23015 ioctl 40046207 0 returned -16
15:42:47 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={0x0}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  394.192211][T23067] binder_alloc: binder_alloc_mmap_handler: 23014 20001000-20004000 already mapped failed -16
15:42:47 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xfffffdfd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

15:42:47 executing program 5:
r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91)
ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={<r5=>0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100)
getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10)
r6 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r7 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
r8 = creat(&(0x7f0000000200)='./file0\x00', 0x40)
setsockopt$inet6_udp_encap(r8, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r7, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000})
openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0)
ioctl$KVM_HAS_DEVICE_ATTR(r8, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1})
openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0)
ioctl$KVM_RUN(r7, 0xae80, 0x0)
ioctl$KVM_SET_XCRS(r8, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]})
ioctl$EVIOCGBITSW(r2, 0x80404525, &(0x7f00000004c0)=""/162)
ioctl$CAPI_GET_MANUFACTURER(r6, 0xc0044306, &(0x7f0000000480)=0xac)

15:42:47 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = openat$full(0xffffffffffffff9c, &(0x7f0000000000)='/dev/full\x00', 0x14100, 0x0)
ioctl$VHOST_SET_VRING_BASE(r1, 0x4008af12, &(0x7f0000000040)={0x0, 0x9})
r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r2, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_NR_MMU_PAGES(r2, 0xae44, 0x4)
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  394.237586][T23015] binder: BINDER_SET_CONTEXT_MGR already set
[  394.299419][T23015] binder: 23014:23015 ioctl 40046207 0 returned -16
[  394.299443][   T12] binder: release 23005:23007 transaction 1961 out, still active
[  394.315445][T23133] binder: BINDER_SET_CONTEXT_MGR already set
[  394.336055][T23137] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.5'.
15:42:47 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={0x0}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  394.339048][T23133] binder: 23131:23133 ioctl 40046207 0 returned -16
[  394.348028][   T12] binder: send failed reply for transaction 1961, target dead
[  394.358167][T23134] binder: 23014:23134 transaction failed 29189/-22, size 24-8 line 2994
[  394.368423][   T12] binder: undelivered transaction 1966, process died.
[  394.394948][T23015] binder: 23014:23015 transaction failed 29189/-22, size 24-0 line 2994
[  394.436429][ T2597] binder_release_work: 37 callbacks suppressed
[  394.436436][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
[  394.458965][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
15:42:47 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=ANY=[@ANYBLOB="11634840000000000000000000000000000000000000000001000000000000000000000018000000000000000000000000000000", @ANYPTR64=&(0x7f0000000000)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB="0000007c87d08b923de854af81df9a0000000000"], @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'], 0x0, 0x0, 0x0})

15:42:47 executing program 5:
r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91)
ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={<r5=>0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100)
getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
r7 = creat(&(0x7f0000000200)='./file0\x00', 0x40)
setsockopt$inet6_udp_encap(r7, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000})
openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0)
ioctl$KVM_HAS_DEVICE_ATTR(r7, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1})
openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0)
ioctl$KVM_RUN(r6, 0xae80, 0x0)
ioctl$KVM_SET_XCRS(r7, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]})
ioctl$EVIOCGBITSW(r2, 0x80404525, &(0x7f00000004c0)=""/162)

15:42:47 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x0, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  394.488312][ T2597] binder: undelivered TRANSACTION_ERROR: 29189
[  394.595779][T23256] binder_alloc: binder_alloc_mmap_handler: 23249 20001000-20004000 already mapped failed -16
[  394.609721][T23254] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.5'.
15:42:47 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)

15:42:47 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x100000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  394.643185][T23251] binder: BINDER_SET_CONTEXT_MGR already set
[  394.649222][T23251] binder: 23249:23251 ioctl 40046207 0 returned -16
[  394.653391][T23256] binder_alloc: 23249: binder_alloc_buf, no vma
15:42:47 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x0, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  394.687035][T23256] binder: 23249:23256 transaction failed 29189/-3, size 24-8 line 3147
15:42:47 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB="5b642f3a5d3a2f6c6c623aff"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  394.774592][   T12] binder: undelivered transaction 1973, process died.
[  394.792671][T23267] binder: 23263:23267 got new transaction with bad transaction stack, transaction 1976 has target 23263:0
[  394.811795][   T12] binder: undelivered TRANSACTION_ERROR: 29189
15:42:47 executing program 3:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="00634040000000000000000000000000000000000000000000000000000000000000000018000000000000000800000000000000", @ANYPTR64=&(0x7f0000000200)=ANY=[@ANYBLOB="852a627300000000", @ANYRES64=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00'], @ANYPTR64=&(0x7f0000000000)=ANY=[@ANYBLOB="2478d399dbecfe680000000000781935d04a2e00000085a2"]], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x22b, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000480)=[@flat={0x73622a85}], 0x0}}}], 0x0, 0x0, 0x0})

[  394.822530][   T12] binder_release_work: 27 callbacks suppressed
[  394.822535][   T12] binder: undelivered TRANSACTION_COMPLETE
[  394.837245][T23267] binder: 23263:23267 transaction failed 29201/-71, size 0-0 line 3044
[  394.862650][T23272] ceph: device name is missing path (no : separator in [d/:]:/llb:�)
15:42:47 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x0, 0x829, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

[  394.864820][   T12] binder: undelivered TRANSACTION_COMPLETE
[  394.878882][T23275] binder: BINDER_SET_CONTEXT_MGR already set
[  394.897223][   T12] binder: undelivered TRANSACTION_ERROR: 29189
15:42:47 executing program 2:
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=ANY=[@ANYBLOB], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = dup2(0xffffffffffffffff, 0xffffffffffffff9c)
name_to_handle_at(r0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000240)={0xcd, 0x9, "f4f4f39996471021802fe288324ffbce159c9b0c0226fd999030d364e5f7d681e2e30206def719353e0992990436fc2d768ff6d01d68adb1fe91311e3bbcdbd6d429ab65cf3467e712c2e66033cb07924a29e95fb0b16867c4ece939097f4921612aedbe58a8503d7eeb00ba1e6c66d25b151c1a9601d20a8413e2678779e28a83eb462afbd3c2b89f8ab064637e52b58cc5f9f1f073a31fa6ef75d89690ce1d5c2bfed99214d37f8382f18df36cc191fc10e895eae47bef6b9b8049dd38b87775e2c39068"}, &(0x7f0000000040), 0x0)

15:42:47 executing program 0:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r2 = openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
ioctl$KVM_GET_XCRS(r2, 0x8188aea6, &(0x7f0000000000)=ANY=[@ANYBLOB="0500000006000000ffffff7f0000000007640000000000000300000000000000dc0e00000000000003000000000000004e0100000000000001000080000000000600000000000000d0000000000000000208000000000000"])
r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
setsockopt$inet6_icmp_ICMP_FILTER(r2, 0x1, 0x1, &(0x7f0000000080)={0x3}, 0x4)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb], 0x1f000, 0x10000})
ioctl$KVM_RUN(r3, 0xae80, 0x0)

[  394.937943][T23275] binder: 23273:23275 ioctl 40046207 0 returned -16
[  394.938532][T23336] ------------[ cut here ]------------
[  394.950047][T23336] kernel BUG at drivers/android/binder_alloc.c:1141!
15:42:47 executing program 5:
r0 = open(&(0x7f00000006c0)='./file0/file0\x00', 0x414bf31f4cfba5de, 0x91)
ioctl$SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT(r0, 0xc04c5349, &(0x7f0000000700)={0x5, 0x7ff, 0x90})
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm\x00', 0x0, 0x0)
syz_kvm_setup_cpu$x86(0xffffffffffffffff, 0xffffffffffffffff, &(0x7f0000007000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, &(0x7f0000000180)="3edfdf6567360fae8200400000440f20c0663502000000440f22c0f3a70f0666b9b603000066b8f98a7c5a66ba5e232f580f300f23a2ed64f30f0d960090d1ac0000", 0x42}], 0x1, 0x0, 0x0, 0x0)
r2 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r2, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000240)=[{&(0x7f0000000000)="2e000000110081aee405d10200000e00fa076b000900000000f3ff500befccd77f00000000081c5eda00b0eba06a", 0x2e}], 0x1}, 0x0)
r3 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
getsockopt$inet_sctp_SCTP_GET_ASSOC_STATS(0xffffffffffffff9c, 0x84, 0x70, &(0x7f00000002c0)={<r5=>0x0, @in={{0x2, 0x4e21, @empty}}, [0x3, 0x9, 0x9, 0xfffffffffffffffb, 0x0, 0x0, 0x2, 0xffffffffffffc0ac, 0x1f, 0x3, 0xfffffffffffff818, 0x1000, 0x8, 0x5]}, &(0x7f00000003c0)=0x100)
getsockopt$inet_sctp6_SCTP_RTOINFO(r4, 0x84, 0x0, &(0x7f0000000400)={r5, 0xbe99, 0x10001, 0x1000}, &(0x7f0000000440)=0x10)
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fchownat(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0)
r7 = creat(&(0x7f0000000200)='./file0\x00', 0x40)
setsockopt$inet6_udp_encap(r7, 0x11, 0x64, &(0x7f0000000600)=0x800000000000005, 0x3)
ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
ioctl$KVM_SET_REGS(r6, 0x4090ae82, &(0x7f0000000000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4cb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x800, 0x0, 0x1000, 0xfffffffffffffffe], 0x1f001, 0x10000})
openat$vsock(0xffffffffffffff9c, &(0x7f0000000280)='/dev/vsock\x00', 0x0, 0x0)
ioctl$KVM_HAS_DEVICE_ATTR(r7, 0x4018aee3, &(0x7f00000005c0)={0x0, 0x8, 0x9, &(0x7f0000000140)=0xd1})
openat$proc_capi20ncci(0xffffffffffffff9c, &(0x7f0000000680)='/proc/capi/capi20ncci\x00', 0x100, 0x0)
ioctl$KVM_RUN(r6, 0xae80, 0x0)
ioctl$KVM_SET_XCRS(r7, 0x4188aea7, &(0x7f0000000580)={0x2, 0x9, [{0x8, 0x0, 0x1}, {0x200}]})

15:42:47 executing program 4:
r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0)
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000200), 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x200000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}}], 0x0, 0x0, 0x0})

[  395.019138][   T12] binder: undelivered TRANSACTION_COMPLETE
[  395.040495][   T12] binder: undelivered TRANSACTION_ERROR: 29201
[  395.063414][   T12] binder: undelivered TRANSACTION_ERROR: 29189
[  395.081979][T23336] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[  395.082511][T23275] binder: 23273:23275 transaction failed 29189/-22, size 24-0 line 2994
[  395.088214][T23336] CPU: 0 PID: 23336 Comm: syz-executor.3 Not tainted 5.1.0-rc2+ #40
[  395.088222][T23336] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  395.088244][T23336] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510
[  395.088264][T23336] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 4f f4 23 fc 4c 89 e6 4c 89 ef e8 64 f5 23 fc 4d 39 e5 76 07 e8 3a f4 23 fc <0f> 0b e8 33 f4 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 41
[  395.098602][T23386] netlink: 14 bytes leftover after parsing attributes in process `syz-executor.5'.
[  395.104587][T23336] RSP: 0000:ffff8880591c76d8 EFLAGS: 00010216
[  395.104599][T23336] RAX: 0000000000040000 RBX: 0000000020001008 RCX: ffffc9000c64b000
[  395.104606][T23336] RDX: 000000000000036a RSI: ffffffff854c7d46 RDI: 0000000000000006
[  395.104613][T23336] RBP: ffff8880591c7758 R08: ffff8880572a8440 R09: 0000000000000028
[  395.104619][T23336] R10: ffffed100b238f32 R11: ffff8880591c7997 R12: 0000000000000020
[  395.104627][T23336] R13: 0000000000000028 R14: ffff88808f769d10 R15: 0000000000000000
[  395.104639][T23336] FS:  0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f5dd3b40
[  395.104657][T23336] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[  395.121558][ T3876] kobject: 'loop1' (0000000064106c60): kobject_uevent_env
[  395.140928][T23336] CR2: 0000000030223000 CR3: 00000000941a3000 CR4: 00000000001426f0
[  395.140939][T23336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  395.140946][T23336] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  395.140950][T23336] Call Trace:
[  395.140977][T23336]  ? memcpy+0x46/0x50
[  395.141001][T23336]  binder_alloc_copy_from_buffer+0x37/0x42
[  395.225101][T23393] ceph: device name is missing path (no : separator in M)
[  395.227052][T23336]  binder_get_object+0xc3/0x200
[  395.227079][T23336]  binder_transaction+0x2b4a/0x6690
[  395.244571][T23394] kobject: 'kvm' (000000002baf0604): kobject_uevent_env
[  395.246370][T23336]  ? binder_thread_read+0x3d50/0x3d50
[  395.262043][ T3876] kobject: 'loop1' (0000000064106c60): fill_kobj_path: path = '/devices/virtual/block/loop1'
[  395.263308][T23336]  ? __lock_acquire+0x548/0x3fb0
[  395.263345][T23336]  ? __might_fault+0x12b/0x1e0
[  395.263369][T23336]  ? lock_downgrade+0x880/0x880
[  395.272856][ T3876] kobject: 'loop2' (000000006b36aef2): kobject_uevent_env
[  395.273463][T23336]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  395.280420][ T3876] kobject: 'loop2' (000000006b36aef2): fill_kobj_path: path = '/devices/virtual/block/loop2'
[  395.285795][T23336]  ? _copy_from_user+0xdd/0x150
[  395.285814][T23336]  binder_thread_write+0x64a/0x2820
[  395.285834][T23336]  ? binder_transaction+0x6690/0x6690
[  395.285849][T23336]  ? __might_fault+0x12b/0x1e0
[  395.285874][T23336]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  395.314251][T23393] ceph: device name is missing path (no : separator in M)
[  395.317710][T23336]  ? _copy_from_user+0xdd/0x150
[  395.317730][T23336]  binder_ioctl+0x1033/0x183b
[  395.317754][T23336]  ? binder_thread_write+0x2820/0x2820
[  395.334561][T23394] kobject: 'kvm' (000000002baf0604): fill_kobj_path: path = '/devices/virtual/misc/kvm'
[  395.339058][T23336]  ? __fget+0x381/0x550
[  395.339075][T23336]  ? ksys_dup3+0x3e0/0x3e0
[  395.339098][T23336]  ? get_old_timespec32+0x200/0x200
[  395.359615][T23399] kobject: 'kvm' (000000002baf0604): kobject_uevent_env
[  395.360702][T23336]  ? tomoyo_file_ioctl+0x23/0x30
[  395.360726][T23336]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  395.378291][T23385] kobject: 'kvm' (000000002baf0604): kobject_uevent_env
15:42:48 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x0, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

15:42:48 executing program 2:
mkdir(&(0x7f00000001c0)='./file0\x00', 0x20000000000140)
mount(&(0x7f0000000080)=ANY=[@ANYBLOB="4d001a00002b160000000000"], &(0x7f0000000000)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)
r0 = accept4(0xffffffffffffffff, &(0x7f0000000140)=@x25, &(0x7f0000000040)=0x80, 0x80800)
getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r0, 0x84, 0x13, &(0x7f00000000c0)={<r1=>0x0, 0xf82}, &(0x7f0000000200)=0x1)
setsockopt$inet_sctp_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f0000000240)={r1, 0x5, 0x30}, 0xc)

15:42:48 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x0, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

15:42:48 executing program 2:
mount(&(0x7f0000000000)=ANY=[@ANYBLOB="f29e3c48a04620bcc1425bd6607d5f8d682f34295a2ca32cdbd0ef1e0f69"], &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  395.382847][T23336]  ? security_file_ioctl+0x93/0xc0
[  395.382866][T23336]  ? binder_thread_write+0x2820/0x2820
[  395.382881][T23336]  __ia32_compat_sys_ioctl+0x197/0x620
[  395.382904][T23336]  do_fast_syscall_32+0x281/0xc98
[  395.411417][T23399] kobject: 'kvm' (000000002baf0604): fill_kobj_path: path = '/devices/virtual/misc/kvm'
[  395.413737][T23336]  entry_SYSENTER_compat+0x70/0x7f
[  395.413749][T23336] RIP: 0023:0xf7ff8869
[  395.413763][T23336] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[  395.413778][T23336] RSP: 002b:00000000f5dd30cc EFLAGS: 00000296 ORIG_RAX: 0000000000000036
[  395.447183][T23387] kobject: 'kvm' (000000002baf0604): kobject_uevent_env
[  395.447990][T23336] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000c0306201
[  395.447999][T23336] RDX: 0000000020000440 RSI: 0000000000000000 RDI: 0000000000000000
[  395.448016][T23336] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
15:42:48 executing program 1:
openat$dsp(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000000)={0x2c, 0x34, 0x0, 0x0, 0x0, {0x4, 0x1000000}, [@nested={0x2c, 0x0, [@typed={0x14, 0x1, @ipv6=@loopback={0xffffffff00000000}}]}]}, 0x2c}}, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0)

15:42:48 executing program 2:
setxattr$security_selinux(&(0x7f0000000000)='./file0\x00', &(0x7f0000000080)='security.selinux\x00', &(0x7f00000000c0)='system_u:object_r:xen_device_t:s0\x00', 0x22, 0x0)
mkdir(&(0x7f0000000340)='./file0\x00', 0x0)
mount(&(0x7f0000000040)=@nullb='[d::]:/llb:\xff', &(0x7f0000000200)='./file0\x00', &(0x7f0000000100)='ceph\x00', 0x0, 0x0)

[  395.460968][T23385] kobject: 'kvm' (000000002baf0604): fill_kobj_path: path = '/devices/virtual/misc/kvm'
[  395.462779][T23336] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  395.462787][T23336] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  395.462800][T23336] Modules linked in:
[  395.475858][T23336] ---[ end trace e04b6ab01cdeba88 ]---
[  395.506358][T23387] kobject: 'kvm' (000000002baf0604): fill_kobj_path: path = '/devices/virtual/misc/kvm'
[  395.521111][T23336] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510
[  395.530857][ T3876] kobject: 'loop1' (0000000064106c60): kobject_uevent_env
[  395.532923][T23406] binder: 23405:23406 got new transaction with bad transaction stack, transaction 1981 has target 23405:0
[  395.551564][ T3876] kobject: 'loop1' (0000000064106c60): fill_kobj_path: path = '/devices/virtual/block/loop1'
[  395.558393][T23336] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 4f f4 23 fc 4c 89 e6 4c 89 ef e8 64 f5 23 fc 4d 39 e5 76 07 e8 3a f4 23 fc <0f> 0b e8 33 f4 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 41
[  395.578029][ T3876] kobject: 'loop2' (000000006b36aef2): kobject_uevent_env
[  395.635628][T23387] kobject: 'kvm' (000000002baf0604): kobject_uevent_env
[  395.642611][T23406] binder: 23405:23406 transaction failed 29201/-71, size 0-0 line 3044
[  395.657703][T23336] RSP: 0000:ffff8880591c76d8 EFLAGS: 00010216
[  395.659676][T23387] kobject: 'kvm' (000000002baf0604): fill_kobj_path: path = '/devices/virtual/misc/kvm'
[  395.667047][T23275] binder: BINDER_SET_CONTEXT_MGR already set
[  395.686804][T23336] RAX: 0000000000040000 RBX: 0000000020001008 RCX: ffffc9000c64b000
[  395.702921][T23275] binder: 23273:23275 ioctl 40046207 0 returned -16
[  395.710247][T23414] ------------[ cut here ]------------
[  395.715755][T23414] kernel BUG at drivers/android/binder_alloc.c:1141!
[  395.724961][ T3876] kobject: 'loop2' (000000006b36aef2): fill_kobj_path: path = '/devices/virtual/block/loop2'
[  395.733442][T23336] RDX: 000000000000036a RSI: ffffffff854c7d46 RDI: 0000000000000006
[  395.737436][T23414] invalid opcode: 0000 [#2] PREEMPT SMP KASAN
[  395.744408][T23336] RBP: ffff8880591c7758 R08: ffff8880572a8440 R09: 0000000000000028
[  395.749441][T23414] CPU: 1 PID: 23414 Comm: syz-executor.3 Tainted: G      D           5.1.0-rc2+ #40
[  395.749448][T23414] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  395.749467][T23414] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510
[  395.749481][T23414] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 4f f4 23 fc 4c 89 e6 4c 89 ef e8 64 f5 23 fc 4d 39 e5 76 07 e8 3a f4 23 fc <0f> 0b e8 33 f4 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 41
[  395.749487][T23414] RSP: 0018:ffff888062ea76d8 EFLAGS: 00010212
[  395.758091][T23336] R10: ffffed100b238f32 R11: ffff8880591c7997 R12: 0000000000000020
[  395.766861][T23414] RAX: 0000000000040000 RBX: 0000000020001008 RCX: ffffc9000c84c000
[  395.766869][T23414] RDX: 00000000000002db RSI: ffffffff854c7d46 RDI: 0000000000000006
[  395.766875][T23414] RBP: ffff888062ea7758 R08: ffff888062454240 R09: 0000000000000028
[  395.766882][T23414] R10: ffffed100c5d4f32 R11: ffff888062ea7997 R12: 0000000000000020
[  395.766888][T23414] R13: 0000000000000028 R14: ffff8880905a4b50 R15: 0000000000000000
[  395.766899][T23414] FS:  0000000000000000(0000) GS:ffff8880ae900000(0063) knlGS:00000000f5db2b40
[  395.766907][T23414] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[  395.766914][T23414] CR2: 0000000000000000 CR3: 00000000941a3000 CR4: 00000000001426e0
[  395.766925][T23414] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  395.766931][T23414] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  395.766936][T23414] Call Trace:
[  395.766961][T23414]  ? memcpy+0x46/0x50
[  395.766980][T23414]  binder_alloc_copy_from_buffer+0x37/0x42
[  395.767002][T23414]  binder_get_object+0xc3/0x200
[  395.777943][T23336] R13: 0000000000000028 R14: ffff88808f769d10 R15: 0000000000000000
[  395.783631][T23414]  binder_transaction+0x2b4a/0x6690
[  395.783658][T23414]  ? binder_thread_read+0x3d50/0x3d50
[  395.783675][T23414]  ? mark_held_locks+0xf0/0xf0
[  395.783687][T23414]  ? mark_held_locks+0xf0/0xf0
[  395.783703][T23414]  ? __kasan_kmalloc.constprop.0+0xcf/0xe0
[  395.783716][T23414]  ? binder_get_thread+0x1db/0x7c0
[  395.783730][T23414]  ? lock_downgrade+0x880/0x880
[  395.783753][T23414]  ? __might_fault+0xfb/0x1e0
[  395.804085][T23336] FS:  0000000000000000(0000) GS:ffff8880ae800000(0063) knlGS:00000000f5dd3b40
[  395.809550][T23414]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  395.809567][T23414]  ? _copy_from_user+0xdd/0x150
[  395.809586][T23414]  binder_thread_write+0x64a/0x2820
[  395.809613][T23414]  ? binder_transaction+0x6690/0x6690
[  395.818247][T23336] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[  395.829070][T23414]  ? kasan_check_write+0x14/0x20
[  395.829086][T23414]  ? do_raw_spin_lock+0x12a/0x2e0
[  395.829105][T23414]  ? __might_fault+0xfb/0x1e0
[  395.829130][T23414]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  395.829144][T23414]  ? _copy_from_user+0xdd/0x150
[  395.829161][T23414]  binder_ioctl+0x1033/0x183b
[  395.829179][T23414]  ? binder_thread_write+0x2820/0x2820
[  395.829201][T23414]  ? __fget+0x381/0x550
[  395.837872][T23336] CR2: 00000000081220f0 CR3: 00000000941a3000 CR4: 00000000001426f0
[  395.845195][T23414]  ? ksys_dup3+0x3e0/0x3e0
[  395.845209][T23414]  ? get_old_timespec32+0x200/0x200
[  395.845227][T23414]  ? tomoyo_file_ioctl+0x23/0x30
[  395.845240][T23414]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  395.845255][T23414]  ? security_file_ioctl+0x93/0xc0
[  395.845272][T23414]  ? binder_thread_write+0x2820/0x2820
[  395.845287][T23414]  __ia32_compat_sys_ioctl+0x197/0x620
[  395.845313][T23414]  do_fast_syscall_32+0x281/0xc98
[  395.853973][T23336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  395.861364][T23414]  entry_SYSENTER_compat+0x70/0x7f
[  395.861375][T23414] RIP: 0023:0xf7ff8869
[  395.861390][T23414] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[  395.861396][T23414] RSP: 002b:00000000f5db20cc EFLAGS: 00000296 ORIG_RAX: 0000000000000036
[  395.861408][T23414] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000c0306201
[  395.861416][T23414] RDX: 0000000020000440 RSI: 0000000000000000 RDI: 0000000000000000
[  395.861449][T23414] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  395.871455][T23336] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  395.876981][T23414] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  395.876989][T23414] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  395.877001][T23414] Modules linked in:
[  395.890614][ T3876] kobject: 'loop5' (00000000fe1647a9): kobject_uevent_env
[  395.894725][T23336] Kernel panic - not syncing: Fatal exception
[  395.906265][ T3876] kobject: 'loop5' (00000000fe1647a9): fill_kobj_path: path = '/devices/virtual/block/loop5'
[  395.909909][T23336] Kernel Offset: disabled
[  396.222266][T23336] Rebooting in 86400 seconds..