7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963addd4b658ac7c800"}}) [ 782.044977] binder: undelivered TRANSACTION_COMPLETE [ 782.050255] binder: undelivered TRANSACTION_ERROR: 29189 07:48:47 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3f334, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 782.440377] binder: BINDER_SET_CONTEXT_MGR already set 07:48:47 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 782.743797] binder: 12205:12210 ioctl 40046207 0 returned -16 [ 782.817727] binder: 12205:12231 got transaction to invalid handle [ 782.824107] binder: 12205:12231 transaction failed 29201/-22, size 0-0 line 2855 07:48:48 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000005c0)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r3 = msgget(0x2, 0x80) stat(&(0x7f0000000100)='./file0\x00', &(0x7f00000001c0)) getgroups(0x2, &(0x7f0000000240)=[0xffffffffffffffff, 0xee01]) fstat(r0, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000380)={0x0, 0x0, 0x0}, &(0x7f0000000440)=0xc) ioctl$sock_SIOCGPGRP(r1, 0x8904, &(0x7f0000000500)=0x0) fcntl$getownex(r1, 0x10, &(0x7f0000000580)={0x0, 0x0}) msgctl$IPC_SET(r3, 0x1, &(0x7f00000006c0)={{0x76, r5, r4, r5, r6, 0x7e, 0x808}, 0x5, 0x1c0000, 0x8000, 0xbf, 0xb6e3, 0x3, r7, r8}) r9 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r2) r10 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r9) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r11 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r10) r12 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r11) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r13 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r2) keyctl$dh_compute(0x17, &(0x7f0000000340)={r12, r13, r13}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x3) [ 783.025504] binder: undelivered TRANSACTION_ERROR: 29201 [ 783.161066] binder: release 12234:12239 transaction 9296 out, still active [ 783.168411] binder: unexpected work type, 4, not freed [ 783.173833] binder: undelivered TRANSACTION_COMPLETE 07:48:48 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c00, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 783.253007] binder_alloc: 12234: binder_alloc_buf, no vma [ 783.258919] binder: 12234:12239 transaction failed 29189/-3, size 258868-0 line 2970 [ 783.340293] could not allocate digest TFM handle sha1-genericKe 07:48:48 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r5 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r5) syz_open_dev$vcsn(&(0x7f00000001c0)='/dev/vcs#\x00', 0xce88, 0x10000) syz_genetlink_get_family_id$team(&(0x7f0000000240)='team\x00') getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000006c0)={{{@in6=@dev, @in6}}, {{@in6}, 0x0, @in6=@dev}}, &(0x7f00000002c0)=0xe8) getsockname$packet(0xffffffffffffffff, &(0x7f0000000440), &(0x7f0000000500)=0x14) getpeername(r0, &(0x7f0000000980)=@can, &(0x7f0000000900)=0x80) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:48:48 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963cf32ae90e642919400"}}) [ 783.455681] binder: BINDER_SET_CONTEXT_MGR already set [ 783.481698] binder: 12258:12259 ioctl 40046207 0 returned -16 [ 783.503101] binder: release 12234:12239 transaction 9296 in, still active [ 783.510265] binder: send failed reply for transaction 9296, target dead [ 783.518693] binder: 12258:12261 got transaction to invalid handle 07:48:48 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4800000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 783.525100] binder: 12258:12261 transaction failed 29201/-22, size 0-0 line 2855 [ 783.627446] binder_alloc: binder_alloc_mmap_handler: 12258 20001000-20004000 already mapped failed -16 [ 783.705038] binder: 12258:12261 got transaction to invalid handle [ 783.711578] binder: 12258:12261 transaction failed 29201/-22, size 0-0 line 2855 [ 783.723897] binder_release_work: 2 callbacks suppressed [ 783.723904] binder: undelivered TRANSACTION_ERROR: 29201 07:48:48 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6800, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:48:48 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r5 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r5) syz_open_dev$vcsn(&(0x7f00000001c0)='/dev/vcs#\x00', 0xce88, 0x10000) syz_genetlink_get_family_id$team(&(0x7f0000000240)='team\x00') getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000006c0)={{{@in6=@dev, @in6}}, {{@in6}, 0x0, @in6=@dev}}, &(0x7f00000002c0)=0xe8) getsockname$packet(0xffffffffffffffff, &(0x7f0000000440), &(0x7f0000000500)=0x14) getpeername(r0, &(0x7f0000000980)=@can, &(0x7f0000000900)=0x80) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000a00)={'bond_slave_0\x00'}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 783.768748] binder: undelivered TRANSACTION_ERROR: 29201 [ 783.780364] binder: release 12268:12271 transaction 9304 out, still active [ 783.787495] binder: unexpected work type, 4, not freed [ 783.792851] binder: undelivered TRANSACTION_COMPLETE [ 783.885291] binder_alloc: 12268: binder_alloc_buf, no vma [ 783.891057] binder: 12268:12271 transaction failed 29189/-3, size 5188146770730811392-0 line 2970 [ 783.914038] could not allocate digest TFM handle sha1-generic2B 07:48:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4800000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:48:49 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c00000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:48:49 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 783.957076] binder: release 12268:12271 transaction 9304 in, still active [ 783.964291] binder: send failed reply for transaction 9304, target dead [ 783.971102] binder: undelivered TRANSACTION_ERROR: 29189 07:48:49 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963cd4fb48cc136e800"}}) 07:48:49 executing program 3: r0 = openat$audio(0xffffffffffffff9c, &(0x7f0000000240)='/dev/audio\x00', 0x0, 0x0) setsockopt$inet_int(r0, 0x0, 0xe, &(0x7f00000002c0)=0x203c06bb, 0x4) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r3 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r2) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r3) r5 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x200000, 0x4) getsockopt$inet_pktinfo(r5, 0x0, 0x8, &(0x7f00000001c0)={0x0, @rand_addr, @local}, &(0x7f0000000200)=0xc) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r6 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) ioctl$PERF_EVENT_IOC_RESET(r0, 0x2403, 0x1ff) r7 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r6) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r8 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r2) keyctl$dh_compute(0x17, &(0x7f0000000340)={r7, r8, r8}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) accept4$unix(r1, &(0x7f0000000580)=@abs, &(0x7f0000000300)=0x6e, 0x800) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) [ 784.307291] binder: 12281:12295 got transaction to invalid handle [ 784.313734] binder: 12281:12295 transaction failed 29201/-22, size 0-0 line 2855 [ 784.396286] binder: BINDER_SET_CONTEXT_MGR already set [ 784.444473] binder: BINDER_SET_CONTEXT_MGR already set [ 784.490226] binder: 12292:12298 ioctl 40046207 0 returned -16 [ 784.554939] binder_alloc: binder_alloc_mmap_handler: 12281 20001000-20004000 already mapped failed -16 [ 784.571876] binder: release 12292:12306 transaction 9310 out, still active [ 784.579061] binder: unexpected work type, 4, not freed [ 784.584463] binder: undelivered TRANSACTION_COMPLETE [ 784.596341] binder: 12293:12302 ioctl 40046207 0 returned -16 [ 784.650268] binder: BINDER_SET_CONTEXT_MGR already set [ 784.689863] binder_alloc: 12281: binder_alloc_buf, no vma [ 784.695452] could not allocate digest TFM handle sha1-genericO6 [ 784.695665] binder: 12293:12308 transaction failed 29189/-3, size 24-8 line 2970 [ 784.706732] binder: 12292:12306 got transaction to invalid handle [ 784.715925] binder: 12292:12306 transaction failed 29201/-22, size 7782220156096217088-0 line 2855 [ 784.749096] binder: 12281:12290 ioctl 40046207 0 returned -16 [ 784.784316] binder: 12293:12311 got transaction to invalid handle [ 784.790749] binder: 12293:12311 transaction failed 29201/-22, size 5188146770730811392-0 line 2855 [ 784.813190] binder: 12281:12295 got transaction to invalid handle [ 784.819595] binder: 12281:12295 transaction failed 29201/-22, size 0-0 line 2855 [ 784.836964] binder: release 12281:12290 transaction 9310 in, still active 07:48:49 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269635ece079da10b6c00"}}) [ 784.844101] binder: send failed reply for transaction 9310, target dead [ 784.850943] binder: undelivered TRANSACTION_ERROR: 29201 [ 784.925871] binder: undelivered TRANSACTION_ERROR: 29201 07:48:50 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfdfdffff00000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 785.084332] binder: undelivered TRANSACTION_ERROR: 29189 07:48:50 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r5 = dup2(r0, r0) r6 = syz_open_dev$adsp(&(0x7f0000000100)='/dev/adsp#\x00', 0x5, 0x200000) ioctl$KVM_CREATE_DEVICE(r5, 0xc00caee0, &(0x7f00000001c0)={0x2, r6, 0x1}) r7 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r8 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) keyctl$dh_compute(0x17, &(0x7f0000000340)={r7, r8, r8}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 785.262967] could not allocate digest TFM handle sha1-generic^ l 07:48:50 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000005c0)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r3 = msgget(0x2, 0x80) stat(&(0x7f0000000100)='./file0\x00', &(0x7f00000001c0)) getgroups(0x2, &(0x7f0000000240)=[0xffffffffffffffff, 0xee01]) fstat(r0, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000380)={0x0, 0x0, 0x0}, &(0x7f0000000440)=0xc) ioctl$sock_SIOCGPGRP(r1, 0x8904, &(0x7f0000000500)=0x0) fcntl$getownex(r1, 0x10, &(0x7f0000000580)={0x0, 0x0}) msgctl$IPC_SET(r3, 0x1, &(0x7f00000006c0)={{0x76, r5, r4, r5, r6, 0x7e, 0x808}, 0x5, 0x1c0000, 0x8000, 0xbf, 0xb6e3, 0x3, r7, r8}) r9 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r2) r10 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r9) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r11 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r10) r12 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r11) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r13 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r2) keyctl$dh_compute(0x17, &(0x7f0000000340)={r12, r13, r13}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x3) 07:48:50 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x300000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 785.366182] binder: undelivered TRANSACTION_ERROR: 29201 [ 785.404480] binder: undelivered TRANSACTION_ERROR: 29201 [ 785.465453] binder: 12324:12330 got transaction to invalid handle 07:48:50 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 785.739374] binder: BINDER_SET_CONTEXT_MGR already set [ 785.814249] binder: 12336:12340 ioctl 40046207 0 returned -16 [ 785.854291] binder_alloc: binder_alloc_mmap_handler: 12324 20001000-20004000 already mapped failed -16 [ 785.915900] binder: BINDER_SET_CONTEXT_MGR already set [ 785.980292] binder: 12336:12344 got transaction to invalid handle [ 786.032090] binder: 12324:12327 ioctl 40046207 0 returned -16 [ 786.065508] binder: 12324:12351 got transaction to invalid handle [ 786.114807] binder: release 12324:12327 transaction 9319 in, still active [ 786.121934] binder: send failed reply for transaction 9319 to 12336:12344 [ 786.128981] binder: undelivered TRANSACTION_ERROR: 29201 [ 786.192758] binder: undelivered TRANSACTION_ERROR: 29201 [ 786.593972] binder: undelivered TRANSACTION_COMPLETE 07:48:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x68000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:48:51 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630028109cc535b93200"}}) 07:48:51 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000005c0)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r3 = msgget(0x2, 0x80) stat(&(0x7f0000000100)='./file0\x00', &(0x7f00000001c0)) getgroups(0x2, &(0x7f0000000240)=[0xffffffffffffffff, 0xee01]) fstat(r0, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0}) getsockopt$sock_cred(r1, 0x1, 0x11, &(0x7f0000000380)={0x0, 0x0, 0x0}, &(0x7f0000000440)=0xc) ioctl$sock_SIOCGPGRP(r1, 0x8904, &(0x7f0000000500)=0x0) fcntl$getownex(r1, 0x10, &(0x7f0000000580)={0x0, 0x0}) msgctl$IPC_SET(r3, 0x1, &(0x7f00000006c0)={{0x76, r5, r4, r5, r6, 0x7e, 0x808}, 0x5, 0x1c0000, 0x8000, 0xbf, 0xb6e3, 0x3, r7, r8}) r9 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r2) r10 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r9) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r11 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r10) r12 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r11) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r13 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r2) keyctl$dh_compute(0x17, &(0x7f0000000340)={r12, r13, r13}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x3) 07:48:51 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x100000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 786.897454] binder: release 12363:12368 transaction 9325 out, still active [ 786.905025] binder: unexpected work type, 4, not freed [ 786.910373] binder: undelivered TRANSACTION_COMPLETE [ 786.919140] binder: BINDER_SET_CONTEXT_MGR already set [ 786.924986] binder_alloc: 12363: binder_alloc_buf, no vma [ 786.976607] binder: release 12363:12368 transaction 9325 in, still active [ 786.981701] binder: 12365:12372 ioctl 40046207 0 returned -16 [ 786.983667] binder: send failed reply for transaction 9325, target dead [ 786.984795] binder: 12365:12377 got transaction to invalid handle [ 787.063519] binder_alloc: binder_alloc_mmap_handler: 12365 20001000-20004000 already mapped failed -16 [ 787.100437] binder: 12365:12377 got transaction to invalid handle 07:48:52 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r5 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r5) syz_open_dev$vcsn(&(0x7f00000001c0)='/dev/vcs#\x00', 0xce88, 0x10000) syz_genetlink_get_family_id$team(&(0x7f0000000240)='team\x00') getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000006c0)={{{@in6=@dev, @in6}}, {{@in6}, 0x0, @in6=@dev}}, &(0x7f00000002c0)=0xe8) getsockname$packet(0xffffffffffffffff, &(0x7f0000000440), &(0x7f0000000500)=0x14) getpeername(r0, &(0x7f0000000980)=@can, &(0x7f0000000900)=0x80) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000a00)={'bond_slave_0\x00'}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:48:52 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) openat$mixer(0xffffffffffffff9c, &(0x7f0000000100)='/dev/mixer\x00', 0x0, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r5 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r6 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) keyctl$dh_compute(0x17, &(0x7f0000000340)={r5, r6, r6}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:48:52 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1200, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:48:52 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:48:52 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r5 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r5) syz_open_dev$vcsn(&(0x7f00000001c0)='/dev/vcs#\x00', 0xce88, 0x10000) syz_genetlink_get_family_id$team(&(0x7f0000000240)='team\x00') getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000006c0)={{{@in6=@dev, @in6}}, {{@in6}, 0x0, @in6=@dev}}, &(0x7f00000002c0)=0xe8) getsockname$packet(0xffffffffffffffff, &(0x7f0000000440), &(0x7f0000000500)=0x14) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:48:52 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269636ed2e8a9b82e9df000"}}) 07:48:52 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:48:52 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r5 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r5) syz_open_dev$vcsn(&(0x7f00000001c0)='/dev/vcs#\x00', 0xce88, 0x10000) syz_genetlink_get_family_id$team(&(0x7f0000000240)='team\x00') getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000006c0)={{{@in6=@dev, @in6}}, {{@in6}, 0x0, @in6=@dev}}, &(0x7f00000002c0)=0xe8) getsockname$packet(0xffffffffffffffff, &(0x7f0000000440), &(0x7f0000000500)=0x14) getpeername(r0, &(0x7f0000000980)=@can, &(0x7f0000000900)=0x80) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 787.284496] binder: release 12386:12392 transaction 9333 out, still active [ 787.291632] binder: unexpected work type, 4, not freed [ 787.297004] binder: undelivered TRANSACTION_COMPLETE 07:48:52 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r1 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000240), 0x0, 0x0, r0) r2 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r3 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r2) r4 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r3) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r5 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r0) r6 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000100)="2b70707030e800", 0xffffffffffffff9c}, 0x10) ioctl$TIOCLINUX2(r6, 0x541c, &(0x7f0000000200)={0x2, 0xff, 0x9, 0x9, 0xfffffffffffffffc, 0x8}) keyctl$dh_compute(0x17, &(0x7f0000000340)={r4, r5, r5}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$SNDRV_CTL_IOCTL_ELEM_REMOVE(r6, 0xc0405519, &(0x7f00000002c0)={0x4, 0x7, 0x81, 0xc8e, 'syz0\x00', 0x3ff}) ioctl$KVM_GET_SREGS(r6, 0x8138ae83, &(0x7f00000006c0)) r7 = shmget$private(0x0, 0x3000, 0x880, &(0x7f0000ffb000/0x3000)=nil) shmctl$SHM_LOCK(r7, 0xb) ioctl$PERF_EVENT_IOC_ENABLE(r6, 0x8912, 0xfffffffffffffffc) faccessat(r6, &(0x7f0000000300)='./file0\x00', 0x8, 0x200) [ 787.358477] could not allocate digest TFM handle sha1-genericn詸. [ 787.379805] binder: BINDER_SET_CONTEXT_MGR already set [ 787.394493] binder: 12396:12401 ioctl 40046207 0 returned -16 [ 787.418369] binder_alloc: 12386: binder_alloc_buf, no vma 07:48:52 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269633b1c583ce07d2600"}}) [ 787.475056] binder: 12396:12405 got transaction to invalid handle 07:48:52 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 787.542543] binder: release 12386:12392 transaction 9333 in, still active [ 787.549702] binder: send failed reply for transaction 9333, target dead [ 788.231777] binder_alloc: binder_alloc_mmap_handler: 12396 20001000-20004000 already mapped failed -16 [ 788.573575] binder: 12396:12421 got transaction to invalid handle [ 788.579966] binder_transaction: 8 callbacks suppressed [ 788.579983] binder: 12396:12421 transaction failed 29201/-22, size 0-0 line 2855 [ 789.160961] binder: BINDER_SET_CONTEXT_MGR already set [ 789.169291] binder_alloc: 12396: binder_alloc_buf, no vma [ 789.175038] binder: 12423:12437 transaction failed 29189/-3, size 24-8 line 2970 [ 789.218672] binder_release_work: 6 callbacks suppressed [ 789.218680] binder: undelivered TRANSACTION_ERROR: 29201 [ 789.610094] binder: 12423:12430 got transaction to invalid handle [ 789.616473] binder: 12423:12430 transaction failed 29201/-22, size 5-0 line 2855 [ 789.648437] binder: undelivered TRANSACTION_ERROR: 29201 [ 789.898939] could not allocate digest TFM handle sha1-generic;X<}& 07:48:55 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:48:55 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) add_key(&(0x7f0000000200)='encrypted\x00', &(0x7f0000000240)={0x73, 0x79, 0x7a, 0x2}, 0x0, 0x0, r1) r4 = openat$cgroup_ro(0xffffffffffffffff, &(0x7f0000000100)='cpuacct.usage_percpu_user\x00', 0x0, 0x0) setsockopt$bt_l2cap_L2CAP_CONNINFO(r4, 0x6, 0x2, &(0x7f00000001c0)={0x3, 0x7, 0xfffffffffffffff8, 0x7}, 0x6) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r6 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r7 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x0, r1) keyctl$dh_compute(0x17, &(0x7f0000000340)={r6, r7, r7}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:48:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x100000000000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 790.179211] binder: 12423:12434 ioctl 40046207 0 returned -16 07:48:55 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963ac24047aad399e00"}}) 07:48:55 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6800000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 790.354203] binder: undelivered TRANSACTION_ERROR: 29201 [ 790.360835] binder: undelivered TRANSACTION_ERROR: 29189 [ 790.503856] binder: release 12461:12464 transaction 9343 out, still active [ 790.511034] binder: unexpected work type, 4, not freed [ 790.516379] binder: undelivered TRANSACTION_COMPLETE [ 790.528354] binder: BINDER_SET_CONTEXT_MGR already set [ 790.580442] binder: 12459:12466 ioctl 40046207 0 returned -16 [ 790.624258] binder: 12459:12469 got transaction to invalid handle [ 790.630750] binder: 12459:12469 transaction failed 29201/-22, size 0-0 line 2855 [ 790.680932] binder_alloc: 12461: binder_alloc_buf, no vma [ 790.686652] binder: 12461:12464 transaction failed 29189/-3, size 7493989779944505344-0 line 2970 [ 790.721382] binder_alloc: binder_alloc_mmap_handler: 12459 20001000-20004000 already mapped failed -16 [ 790.746630] could not allocate digest TFM handle sha1-generic$z9 [ 790.763716] binder: BINDER_SET_CONTEXT_MGR already set [ 790.794454] binder: 12459:12466 ioctl 40046207 0 returned -16 [ 790.815883] binder: 12459:12478 got transaction to invalid handle [ 790.822231] binder: 12459:12478 transaction failed 29201/-22, size 0-0 line 2855 [ 790.852044] binder: release 12461:12464 transaction 9343 in, still active [ 790.859143] binder: send failed reply for transaction 9343, target dead [ 790.866010] binder: undelivered TRANSACTION_ERROR: 29189 07:48:55 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r1 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r0) r2 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r1) r3 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r2) r5 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r6 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r0) keyctl$dh_compute(0x17, &(0x7f0000000340)={r5, r6, r6}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r3, 0x8912, 0x4001fc) 07:48:55 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1200000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:48:55 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630030e0b0f2fd7e9a00"}}) 07:48:55 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r5 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r5) syz_open_dev$vcsn(&(0x7f00000001c0)='/dev/vcs#\x00', 0xce88, 0x10000) syz_genetlink_get_family_id$team(&(0x7f0000000240)='team\x00') getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000006c0)={{{@in6=@dev, @in6}}, {{@in6}, 0x0, @in6=@dev}}, &(0x7f00000002c0)=0xe8) getsockname$packet(0xffffffffffffffff, &(0x7f0000000440), &(0x7f0000000500)=0x14) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:48:55 executing program 2: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269636ed2e8a9b82e9df000"}}) 07:48:55 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:48:55 executing program 5: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269636ed2e8a9b82e9df000"}}) [ 790.909460] binder: undelivered TRANSACTION_ERROR: 29201 [ 790.932994] binder: undelivered TRANSACTION_ERROR: 29201 07:48:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 791.079116] binder: release 12491:12496 transaction 9350 out, still active [ 791.086320] binder: unexpected work type, 4, not freed [ 791.091682] binder: undelivered TRANSACTION_COMPLETE 07:48:56 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r3 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r2) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r3) r5 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r6 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) r7 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r6) r8 = bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r9 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r2) fcntl$getownex(r1, 0x10, &(0x7f0000000240)={0x0, 0x0}) fstat(r1, &(0x7f0000000580)={0x0, 0x0, 0x0, 0x0, 0x0}) getgroups(0x6, &(0x7f0000000380)=[0xee00, 0xee00, 0x0, 0x0, 0xee01, 0x0]) r13 = openat$urandom(0xffffffffffffff9c, &(0x7f0000000440)='/dev/urandom\x00', 0x100, 0x0) ioctl$TIOCGSID(0xffffffffffffff9c, 0x5429, &(0x7f0000000500)=0x0) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000006c0)={{{@in6=@loopback, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6}, 0x0, @in=@loopback}}, &(0x7f00000007c0)=0xe8) lstat(&(0x7f0000000800)='./file0\x00', &(0x7f00000008c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r17 = gettid() r18 = geteuid() fstat(r0, &(0x7f0000000980)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) sendmsg$unix(r0, &(0x7f0000000840)={&(0x7f00000001c0)=@abs={0x1, 0x0, 0x4e23}, 0x6e, &(0x7f0000000100)=[{&(0x7f00000002c0)="da70ea55d4791f312e0a9adba5d0a00d6910f3f39cf760faaae25beca350616507b629286520799f4b179b2583144426a84f301944573a7c94e487ed730cf893ded445715ce1a8eadca129f4", 0x4c}], 0x1, &(0x7f0000000a00)=[@cred={0x20, 0x1, 0x2, r10, r11, r12}, @rights={0x28, 0x1, 0x1, [r5, r0, r1, r13, r8]}, @cred={0x20, 0x1, 0x2, r14, r15, r16}, @rights={0x20, 0x1, 0x1, [r0, r0, r0]}, @cred={0x20, 0x1, 0x2, r17, r18, r19}, @rights={0x30, 0x1, 0x1, [r1, r0, r5, r8, r0, r5, r1]}], 0xd8, 0x4}, 0x4) keyctl$dh_compute(0x17, &(0x7f0000000340)={r7, r9, r9}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) [ 791.289428] binder_alloc: 12491: binder_alloc_buf, no vma [ 791.295124] binder: 12491:12496 transaction failed 29189/-3, size 1297036692682702848-0 line 2970 [ 791.331886] could not allocate digest TFM handle sha1-genericn詸. [ 791.353916] binder: BINDER_SET_CONTEXT_MGR already set [ 791.359231] could not allocate digest TFM handle sha1-genericn詸. 07:48:56 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r5 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r5) syz_open_dev$vcsn(&(0x7f00000001c0)='/dev/vcs#\x00', 0xce88, 0x10000) syz_genetlink_get_family_id$team(&(0x7f0000000240)='team\x00') getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000006c0)={{{@in6=@dev, @in6}}, {{@in6}, 0x0, @in6=@dev}}, &(0x7f00000002c0)=0xe8) getsockname$packet(0xffffffffffffffff, &(0x7f0000000440), &(0x7f0000000500)=0x14) getpeername(r0, &(0x7f0000000980)=@can, &(0x7f0000000900)=0x80) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000a00)={'bond_slave_0\x00'}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 791.382701] binder_alloc: binder_alloc_mmap_handler: 12491 20001000-20004000 already mapped failed -16 [ 791.412935] binder: 12509:12516 ioctl 40046207 0 returned -16 [ 791.450344] binder: 12509:12517 got transaction to invalid handle [ 791.453430] binder_alloc: 12491: binder_alloc_buf, no vma [ 791.456678] binder: 12509:12517 transaction failed 29201/-22, size 0-0 line 2855 [ 791.460494] binder: BINDER_SET_CONTEXT_MGR already set [ 791.462395] binder: 12491:12496 transaction failed 29189/-3, size 24-8 line 2970 07:48:56 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) r6 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r7 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r6, r7, r7}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r8 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) ioctl$KVM_SET_BOOT_CPU_ID(r8, 0xae78, &(0x7f00000001c0)=0x2) [ 791.504140] binder_alloc: binder_alloc_mmap_handler: 12509 20001000-20004000 already mapped failed -16 [ 791.628929] binder: BINDER_SET_CONTEXT_MGR already set [ 791.675147] binder: 12509:12516 ioctl 40046207 0 returned -16 [ 791.714291] binder: 12509:12526 got transaction to invalid handle [ 791.720676] binder: 12509:12526 transaction failed 29201/-22, size 0-0 line 2855 [ 791.778809] binder: undelivered TRANSACTION_ERROR: 29201 [ 791.795800] binder: undelivered TRANSACTION_ERROR: 29201 [ 791.836344] binder: 12491:12518 ioctl 40046207 0 returned -16 07:48:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a00000000000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 791.921270] binder: release 12491:12496 transaction 9350 in, still active [ 791.928317] binder: send failed reply for transaction 9350, target dead [ 791.935179] binder: undelivered TRANSACTION_ERROR: 29189 07:48:57 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630016188368e08bd400"}}) 07:48:57 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:48:57 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfdfdffff, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 792.258460] binder: 12535:12538 got transaction to invalid handle 07:48:57 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r5 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r6 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) keyctl$dh_compute(0x17, &(0x7f0000000340)={r5, r6, r6}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) recvfrom$unix(r0, &(0x7f00000001c0)=""/116, 0x74, 0x101, &(0x7f00000002c0)=@abs={0x1, 0x0, 0x4e22}, 0x6e) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:48:57 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) r6 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r7 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r6, r7, r7}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r8 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) ioctl$KVM_SET_BOOT_CPU_ID(r8, 0xae78, &(0x7f00000001c0)=0x2) [ 792.564031] binder: BINDER_SET_CONTEXT_MGR already set [ 792.678375] binder: 12545:12548 ioctl 40046207 0 returned -16 [ 792.757459] binder_alloc: binder_alloc_mmap_handler: 12535 20001000-20004000 already mapped failed -16 [ 792.771824] binder: 12545:12561 got transaction to invalid handle [ 792.864827] binder: 12535:12569 got transaction to invalid handle [ 792.911329] binder: release 12535:12537 transaction 9359 in, still active [ 792.918438] binder: send failed reply for transaction 9359 to 12545:12561 07:48:58 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x740e, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 793.049616] binder: undelivered TRANSACTION_COMPLETE 07:48:58 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)) r0 = syz_open_dev$dspn(&(0x7f0000000100)='/dev/dsp#\x00', 0xf80000000000000, 0x436000) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x18, 0xfa00, {0x2, &(0x7f0000000200)={0xffffffffffffffff}, 0x106}}, 0x20) write$RDMA_USER_CM_CMD_SET_OPTION(r0, &(0x7f00000002c0)={0xe, 0x18, 0xfa00, @id_tos={&(0x7f00000001c0)=0x4, r1, 0x0, 0x0, 0x1}}, 0x20) getsockopt$inet_sctp_SCTP_PR_ASSOC_STATUS(r0, 0x84, 0x73, &(0x7f0000000380)={0x0, 0x8, 0x30, 0x84, 0x7fff}, &(0x7f00000003c0)=0x18) setsockopt$inet_sctp6_SCTP_SET_PEER_PRIMARY_ADDR(r0, 0x84, 0x5, &(0x7f00000006c0)={r2, @in6={{0xa, 0x4e20, 0x80, @mcast1, 0x7}}}, 0x84) r3 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r3) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f0000000300)={0x73, 0x79, 0x7a, 0x1}, 0x0, 0x0, r3) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) r6 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r7 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r3) keyctl$dh_compute(0x17, &(0x7f0000000340)={r6, r7, r7}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) [ 793.367060] binder: release 12573:12576 transaction 9365 out, still active [ 793.374240] binder: unexpected work type, 4, not freed [ 793.379706] binder: undelivered TRANSACTION_COMPLETE [ 793.419727] binder_alloc: 12573: binder_alloc_buf, no vma [ 793.785604] binder: release 12573:12576 transaction 9365 in, still active [ 793.792697] binder: send failed reply for transaction 9365, target dead 07:48:59 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963018894f11e020200"}}) 07:48:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:48:59 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) r6 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r7 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r6, r7, r7}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r8 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) ioctl$KVM_SET_BOOT_CPU_ID(r8, 0xae78, &(0x7f00000001c0)=0x2) 07:48:59 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:48:59 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:48:59 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f00000001c0)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r5 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0xffffffffffffffea) r6 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) keyctl$dh_compute(0x17, &(0x7f0000000340)={r5, r6, r6}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 794.084669] binder: release 12598:12610 transaction 9370 out, still active [ 794.091880] binder: unexpected work type, 4, not freed [ 794.097255] binder: undelivered TRANSACTION_COMPLETE [ 794.134608] binder: BINDER_SET_CONTEXT_MGR already set [ 794.177287] binder_alloc: 12598: binder_alloc_buf, no vma [ 794.182664] binder: 12599:12611 ioctl 40046207 0 returned -16 [ 794.183034] binder_transaction: 4 callbacks suppressed [ 794.183050] binder: 12598:12610 transaction failed 29189/-3, size 0-117440512 line 2970 [ 794.204969] binder: 12599:12617 got transaction to invalid handle [ 794.211437] binder: 12599:12617 transaction failed 29201/-22, size 0-0 line 2855 [ 794.233197] could not allocate digest TFM handle sha1-generic 07:48:59 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r5 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r5) syz_open_dev$vcsn(&(0x7f00000001c0)='/dev/vcs#\x00', 0xce88, 0x10000) syz_genetlink_get_family_id$team(&(0x7f0000000240)='team\x00') getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000006c0)={{{@in6=@dev, @in6}}, {{@in6}, 0x0, @in6=@dev}}, &(0x7f00000002c0)=0xe8) getsockname$packet(0xffffffffffffffff, &(0x7f0000000440), &(0x7f0000000500)=0x14) getpeername(r0, &(0x7f0000000980)=@can, &(0x7f0000000900)=0x80) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000a00)={'bond_slave_0\x00'}) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:48:59 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) r6 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r7 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r6, r7, r7}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:48:59 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r5 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r5) syz_open_dev$vcsn(&(0x7f00000001c0)='/dev/vcs#\x00', 0xce88, 0x10000) syz_genetlink_get_family_id$team(&(0x7f0000000240)='team\x00') getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000006c0)={{{@in6=@dev, @in6}}, {{@in6}, 0x0, @in6=@dev}}, &(0x7f00000002c0)=0xe8) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:48:59 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963efc24fc08e68a200"}}) [ 794.277384] binder_alloc: binder_alloc_mmap_handler: 12599 20001000-20004000 already mapped failed -16 [ 794.307868] binder: BINDER_SET_CONTEXT_MGR already set 07:48:59 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 794.339327] binder: release 12598:12610 transaction 9370 in, still active [ 794.346431] binder: send failed reply for transaction 9370, target dead [ 794.353459] binder_release_work: 6 callbacks suppressed [ 794.353465] binder: undelivered TRANSACTION_ERROR: 29189 [ 794.371655] binder: 12599:12611 ioctl 40046207 0 returned -16 07:48:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 794.386367] binder: 12599:12625 got transaction to invalid handle [ 794.392740] binder: 12599:12625 transaction failed 29201/-22, size 0-0 line 2855 [ 794.400774] binder: undelivered TRANSACTION_ERROR: 29201 [ 794.408369] binder: undelivered TRANSACTION_ERROR: 29201 07:48:59 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) syslog(0xf, &(0x7f00000001c0)=""/156, 0x9c) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) ioctl$PERF_EVENT_IOC_ENABLE(r4, 0x2400, 0x8) r6 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r7 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) keyctl$dh_compute(0x17, &(0x7f0000000340)={r6, r7, r7}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:48:59 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 794.638012] binder: release 12637:12643 transaction 9377 out, still active [ 794.645200] binder: unexpected work type, 4, not freed [ 794.650533] binder: undelivered TRANSACTION_COMPLETE [ 794.762444] binder: BINDER_SET_CONTEXT_MGR already set [ 794.847717] binder: 12640:12649 ioctl 40046207 0 returned -16 [ 794.882283] binder: 12640:12653 got transaction to invalid handle [ 794.888801] binder: 12640:12653 transaction failed 29201/-22, size 0-0 line 2855 [ 794.906287] binder_alloc: 12637: binder_alloc_buf, no vma [ 794.912218] binder: 12637:12643 transaction failed 29189/-3, size 0-16777216 line 2970 [ 794.990461] binder_alloc: binder_alloc_mmap_handler: 12640 20001000-20004000 already mapped failed -16 [ 795.009099] binder: BINDER_SET_CONTEXT_MGR already set [ 795.018040] binder: 12640:12649 ioctl 40046207 0 returned -16 [ 795.035808] binder: 12640:12662 transaction failed 29201/-22, size 0-0 line 2855 [ 795.056322] binder: undelivered TRANSACTION_ERROR: 29201 [ 795.074568] binder: undelivered TRANSACTION_ERROR: 29201 [ 795.100588] binder_alloc: binder_alloc_mmap_handler: 12637 20001000-20004000 already mapped failed -16 [ 795.137685] could not allocate digest TFM handle sha1-genericOh 07:49:00 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) r6 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r7 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r6, r7, r7}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 795.241430] binder: BINDER_SET_CONTEXT_MGR already set 07:49:00 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c00, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 795.266273] binder: 12637:12643 ioctl 40046207 0 returned -16 [ 795.297475] binder_alloc: 12637: binder_alloc_buf, no vma [ 795.303238] binder: 12637:12666 transaction failed 29189/-3, size 24-8 line 2970 07:49:00 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) r6 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r7 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r6, r7, r7}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:00 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696333ed8ca3e6e1bd7500"}}) [ 795.328200] binder: 12637:12654 transaction failed 29201/-22, size 0-16777216 line 2855 [ 795.342201] binder: release 12637:12643 transaction 9377 in, still active [ 795.349200] binder: send failed reply for transaction 9377, target dead [ 795.356056] binder: undelivered TRANSACTION_ERROR: 29189 [ 795.367118] binder: undelivered TRANSACTION_ERROR: 29201 [ 795.421362] binder: undelivered TRANSACTION_ERROR: 29189 07:49:00 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c00, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 795.838438] binder: BINDER_SET_CONTEXT_MGR already set [ 795.868894] binder_transaction: 2 callbacks suppressed [ 795.868904] binder: 12680:12689 got transaction to invalid handle [ 795.880650] binder: 12680:12689 transaction failed 29201/-22, size 0-0 line 2855 [ 795.922473] binder: 12683:12688 ioctl 40046207 0 returned -16 07:49:01 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 795.982583] binder_alloc: binder_alloc_mmap_handler: 12680 20001000-20004000 already mapped failed -16 [ 796.008046] binder: 12683:12696 got transaction to invalid handle [ 796.014538] binder: 12683:12696 transaction failed 29201/-22, size 0-27648 line 2855 [ 796.015752] binder: release 12683:12691 transaction 9387 out, still active [ 796.029747] binder: unexpected work type, 4, not freed [ 796.035080] binder: undelivered TRANSACTION_COMPLETE [ 796.077312] binder: BINDER_SET_CONTEXT_MGR already set 07:49:01 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) r6 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r7 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r6, r7, r7}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 796.148443] binder: 12680:12684 ioctl 40046207 0 returned -16 [ 796.169847] binder: 12680:12701 got transaction to invalid handle [ 796.179708] could not allocate digest TFM handle sha1-generic3팣u [ 796.197074] binder: release 12680:12684 transaction 9387 in, still active [ 796.204200] binder: send failed reply for transaction 9387, target dead [ 796.211056] binder: undelivered TRANSACTION_ERROR: 29201 07:49:01 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 796.490806] binder: undelivered TRANSACTION_ERROR: 29201 [ 796.656829] binder: unexpected work type, 4, not freed [ 796.662240] binder: undelivered TRANSACTION_COMPLETE [ 796.740967] binder_alloc: 12714: binder_alloc_buf, no vma [ 796.917708] binder: send failed reply for transaction 9393, target dead 07:49:02 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f00000001c0)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r5 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0xffffffffffffffea) r6 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) keyctl$dh_compute(0x17, &(0x7f0000000340)={r5, r6, r6}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:02 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630008176bf486d2ec00"}}) 07:49:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:02 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) r6 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r7 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r6, r7, r7}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:02 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:02 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:02 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) r6 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r7 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r6, r7, r7}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:02 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r5 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r5) syz_open_dev$vcsn(&(0x7f00000001c0)='/dev/vcs#\x00', 0xce88, 0x10000) syz_genetlink_get_family_id$team(&(0x7f0000000240)='team\x00') getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 797.610960] binder: BINDER_SET_CONTEXT_MGR already set [ 797.620654] binder: 12737:12748 ioctl 40046207 0 returned -16 [ 797.632085] binder_alloc: 12737: binder_alloc_buf, no vma [ 797.641643] binder_thread_release: 2 callbacks suppressed [ 797.641654] binder: release 12737:12748 transaction 9398 out, still active [ 797.654557] binder: unexpected work type, 4, not freed [ 797.659935] binder: undelivered TRANSACTION_COMPLETE 07:49:02 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300d2dd0cbf497fa400"}}) [ 797.698508] binder_alloc: binder_alloc_mmap_handler: 12731 20001000-20004000 already mapped failed -16 [ 797.746813] binder: BINDER_SET_CONTEXT_MGR already set [ 797.755675] binder: 12737:12755 got transaction to invalid handle [ 797.765222] binder: 12731:12757 got transaction to invalid handle [ 797.768922] binder: 12731:12750 ioctl 40046207 0 returned -16 07:49:02 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r1 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r0) r2 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r2, 0x3, 0x12, &(0x7f00000006c0)=""/193) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r5 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r6 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r0) semctl$SEM_STAT(r2, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r5, r6, r6}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 797.798810] binder: release 12731:12750 transaction 9398 in, still active [ 797.805883] binder: send failed reply for transaction 9398, target dead 07:49:02 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:03 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r5 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r6 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) keyctl$dh_compute(0x17, &(0x7f0000000340)={r5, r6, r6}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) recvfrom$unix(r0, &(0x7f00000001c0)=""/116, 0x74, 0x101, &(0x7f00000002c0)=@abs={0x1, 0x0, 0x4e22}, 0x6e) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:03 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 798.197385] binder: 12774:12781 got transaction to invalid handle 07:49:03 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963d41dedfceea4adbe00"}}) 07:49:03 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r3 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r2) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r3) r5 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r6 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) r7 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r6) r8 = bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r9 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r2) fcntl$getownex(r1, 0x10, &(0x7f0000000240)={0x0, 0x0}) fstat(r1, &(0x7f0000000580)={0x0, 0x0, 0x0, 0x0, 0x0}) getgroups(0x6, &(0x7f0000000380)=[0xee00, 0xee00, 0x0, 0x0, 0xee01, 0x0]) r13 = openat$urandom(0xffffffffffffff9c, &(0x7f0000000440)='/dev/urandom\x00', 0x100, 0x0) ioctl$TIOCGSID(0xffffffffffffff9c, 0x5429, &(0x7f0000000500)=0x0) getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000006c0)={{{@in6=@loopback, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6}, 0x0, @in=@loopback}}, &(0x7f00000007c0)=0xe8) lstat(&(0x7f0000000800)='./file0\x00', &(0x7f00000008c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) r17 = gettid() r18 = geteuid() fstat(r0, &(0x7f0000000980)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) sendmsg$unix(r0, &(0x7f0000000840)={&(0x7f00000001c0)=@abs={0x1, 0x0, 0x4e23}, 0x6e, &(0x7f0000000100)=[{&(0x7f00000002c0)="da70ea55d4791f312e0a9adba5d0a00d6910f3f39cf760faaae25beca350616507b629286520799f4b179b2583144426a84f301944573a7c94e487ed730cf893ded445715ce1a8eadca129f4", 0x4c}], 0x1, &(0x7f0000000a00)=[@cred={0x20, 0x1, 0x2, r10, r11, r12}, @rights={0x28, 0x1, 0x1, [r5, r0, r1, r13, r8]}, @cred={0x20, 0x1, 0x2, r14, r15, r16}, @rights={0x20, 0x1, 0x1, [r0, r0, r0]}, @cred={0x20, 0x1, 0x2, r17, r18, r19}, @rights={0x30, 0x1, 0x1, [r1, r0, r5, r8, r0, r5, r1]}], 0xd8, 0x4}, 0x4) keyctl$dh_compute(0x17, &(0x7f0000000340)={r7, r9, r9}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) 07:49:03 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6800000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:03 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r1 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r0) r2 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r2, 0x3, 0x12, &(0x7f00000006c0)=""/193) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r5 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r6 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r0) semctl$SEM_STAT(r2, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r5, r6, r6}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:03 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r1 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r0) r2 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r2, 0x3, 0x12, &(0x7f00000006c0)=""/193) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r5 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r6 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r0) semctl$SEM_STAT(r2, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r5, r6, r6}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:03 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 798.726875] could not allocate digest TFM handle sha1-generic [ 798.738901] binder: BINDER_SET_CONTEXT_MGR already set [ 798.748712] binder: 12804:12806 ioctl 40046207 0 returned -16 [ 798.771912] binder: release 12804:12806 transaction 9406 out, still active [ 798.779089] binder: unexpected work type, 4, not freed [ 798.784436] binder: undelivered TRANSACTION_COMPLETE [ 798.790373] binder_alloc: binder_alloc_mmap_handler: 12774 20001000-20004000 already mapped failed -16 07:49:03 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963000c95ebf0da5ac700"}}) [ 798.874205] binder: BINDER_SET_CONTEXT_MGR already set [ 798.899037] binder: 12774:12781 got transaction to invalid handle [ 798.914374] binder: 12774:12814 ioctl 40046207 0 returned -16 [ 798.926346] binder: release 12774:12775 transaction 9406 in, still active [ 798.933466] binder: send failed reply for transaction 9406, target dead [ 798.946052] binder: 12804:12816 got transaction to invalid handle 07:49:04 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r5 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r6 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r5) r7 = syz_open_dev$vcsn(&(0x7f00000001c0)='/dev/vcs#\x00', 0xce88, 0x10000) r8 = syz_genetlink_get_family_id$team(&(0x7f0000000240)='team\x00') getsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffff9c, 0x29, 0x23, &(0x7f00000006c0)={{{@in6=@dev, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6}, 0x0, @in6=@dev}}, &(0x7f00000002c0)=0xe8) getsockname$packet(0xffffffffffffffff, &(0x7f0000000440)={0x11, 0x0, 0x0}, &(0x7f0000000500)=0x14) getpeername(r0, &(0x7f0000000980)=@can={0x1d, 0x0}, &(0x7f0000000900)=0x80) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000a00)={'bond_slave_0\x00', 0x0}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr, 0x0}, &(0x7f0000000a80)=0xc) sendmsg$TEAM_CMD_PORT_LIST_GET(r7, &(0x7f0000000e40)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x8000000}, 0xc, &(0x7f0000000ac0)={&(0x7f0000000b40)={0x2d8, r8, 0x100, 0x70bd25, 0x25dfdbfb, {}, [{{0x8, 0x1, r9}, {0x3c, 0x2, [{0x38, 0x1, @lb_stats_refresh_interval={{0x24, 0x1, 'lb_stats_refresh_interval\x00'}, {0x8}, {0x8, 0x4, 0x800}}}]}}, {{0x8, 0x1, r10}, {0x278, 0x2, [{0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8}, {0x8, 0x4, 0x2}}, {0x8}}}, {0x4c, 0x1, @lb_tx_method={{0x24, 0x1, 'lb_tx_method\x00'}, {0x8}, {0x1c, 0x4, 'hash_to_port_mapping\x00'}}}, {0x38, 0x1, @activeport={{0x24, 0x1, 'activeport\x00'}, {0x8}, {0x8, 0x4, r11}}}, {0x40, 0x1, @lb_tx_hash_to_port_mapping={{{0x24, 0x1, 'lb_tx_hash_to_port_mapping\x00'}, {0x8}, {0x8, 0x4, r12}}, {0x8}}}, {0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8}, {0x8, 0x4, 0x3}}, {0x8}}}, {0x64, 0x1, @bpf_hash_func={{0x24, 0x1, 'bpf_hash_func\x00'}, {0x8}, {0x34, 0x4, [{0x80000000, 0x7fffffff, 0x1, 0x8}, {0x3, 0x6, 0x20, 0x3}, {0xff, 0x6, 0x7ff, 0x5}, {0x6, 0x7, 0xc286, 0x9}, {0x6, 0xea, 0x3, 0x8}, {0x886, 0x80, 0x7f, 0x10001}]}}}, {0x40, 0x1, @lb_hash_stats={{{0x24, 0x1, 'lb_hash_stats\x00'}, {0x8}, {0x8, 0x4, 0x9}}, {0x8}}}, {0x40, 0x1, @priority={{{0x24, 0x1, 'priority\x00'}, {0x8}, {0x8, 0x4, 0x8000}}, {0x8, 0x6, r13}}}, {0x4c, 0x1, @lb_tx_method={{0x24, 0x1, 'lb_tx_method\x00'}, {0x8}, {0x1c, 0x4, 'hash_to_port_mapping\x00'}}}]}}]}, 0x2d8}, 0x1, 0x0, 0x0, 0x8810}, 0x40) r14 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r6) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r15 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) keyctl$dh_compute(0x17, &(0x7f0000000340)={r14, r15, r15}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:04 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1200000000000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:04 executing program 3: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300d268c6de703b3700"}}) [ 799.492516] binder: 12834:12840 got transaction to invalid handle [ 799.498924] binder_transaction: 8 callbacks suppressed [ 799.498941] binder: 12834:12840 transaction failed 29201/-22, size 0-0 line 2855 [ 799.615046] binder_release_work: 7 callbacks suppressed [ 799.615053] binder: undelivered TRANSACTION_ERROR: 29201 [ 800.190650] binder_alloc: binder_alloc_mmap_handler: 12834 20001000-20004000 already mapped failed -16 [ 800.205761] binder: BINDER_SET_CONTEXT_MGR already set [ 800.214562] binder: 12834:12840 ioctl 40046207 0 returned -16 [ 800.227611] binder: 12834:12850 got transaction to invalid handle [ 800.233929] binder: 12834:12850 transaction failed 29201/-22, size 0-0 line 2855 [ 800.249543] binder: undelivered TRANSACTION_ERROR: 29201 [ 800.270867] binder: undelivered TRANSACTION_ERROR: 29201 07:49:05 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r5 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r5) syz_open_dev$vcsn(&(0x7f00000001c0)='/dev/vcs#\x00', 0xce88, 0x10000) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:05 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x68000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:05 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r1 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r0) r2 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r2, 0x3, 0x12, &(0x7f00000006c0)=""/193) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r5 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r6 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r0) semctl$SEM_STAT(r2, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r5, r6, r6}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:05 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:05 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269631b50de2a63332a00"}}) 07:49:05 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:05 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r1 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r0) r2 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r2, 0x3, 0x12, &(0x7f00000006c0)=""/193) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r5 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r6 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r0) semctl$SEM_STAT(r2, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r5, r6, r6}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 800.599861] binder: BINDER_SET_CONTEXT_MGR already set [ 800.613270] binder: 12853:12861 ioctl 40046207 0 returned -16 [ 800.652340] binder: 12857:12871 transaction failed 29201/-22, size 0-0 line 2855 [ 800.692390] binder_alloc: binder_alloc_mmap_handler: 12857 20001000-20004000 already mapped failed -16 [ 800.711830] binder: 12853:12874 transaction failed 29201/-22, size 0-1744830464 line 2855 [ 800.749665] could not allocate digest TFM handle sha1-genericP*c3* [ 800.858282] binder: BINDER_SET_CONTEXT_MGR already set 07:49:05 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963132d790b94e8f800"}}) [ 800.944016] binder: 12857:12863 ioctl 40046207 0 returned -16 07:49:06 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r1 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r0) r2 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r2, 0x3, 0x12, &(0x7f00000006c0)=""/193) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r5 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r6 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r0) semctl$SEM_STAT(r2, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r5, r6, r6}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 800.995664] binder_transaction: 2 callbacks suppressed [ 800.995674] binder: 12857:12883 got transaction to invalid handle [ 801.007468] binder: 12857:12883 transaction failed 29201/-22, size 0-0 line 2855 07:49:06 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 801.093716] binder: release 12857:12863 transaction 9416 in, still active [ 801.100907] binder: send failed reply for transaction 9416 to 12853:12874 [ 801.107960] binder: undelivered TRANSACTION_ERROR: 29201 [ 801.392700] binder: undelivered TRANSACTION_ERROR: 29201 07:49:06 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:06 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 801.731843] binder: undelivered TRANSACTION_ERROR: 29201 [ 801.746360] binder: undelivered TRANSACTION_COMPLETE [ 801.751598] binder: undelivered TRANSACTION_ERROR: 29189 07:49:06 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 801.784563] could not allocate digest TFM handle sha1-generic-y [ 801.880640] binder: 12907:12911 got transaction to invalid handle [ 801.887050] binder: 12907:12911 transaction failed 29201/-22, size 0-0 line 2855 [ 802.043857] binder: BINDER_SET_CONTEXT_MGR already set [ 802.064862] binder: 12915:12917 ioctl 40046207 0 returned -16 [ 802.128278] binder_alloc: binder_alloc_mmap_handler: 12907 20001000-20004000 already mapped failed -16 [ 802.152050] binder: BINDER_SET_CONTEXT_MGR already set [ 802.161108] binder: 12907:12909 ioctl 40046207 0 returned -16 [ 802.179211] binder: 12915:12920 got transaction to invalid handle [ 802.180832] binder: 12907:12921 got transaction to invalid handle [ 802.185535] binder: 12915:12920 transaction failed 29201/-22, size 0-4 line 2855 [ 802.199486] binder: 12907:12921 transaction failed 29201/-22, size 0-0 line 2855 [ 802.215967] binder: release 12907:12909 transaction 9423 in, still active [ 802.223092] binder: send failed reply for transaction 9423 to 12915:12920 [ 802.230129] binder: undelivered TRANSACTION_ERROR: 29201 [ 802.307940] binder: undelivered TRANSACTION_ERROR: 29201 07:49:07 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:07 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:07 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963046da05e0c37d2cc00"}}) [ 802.544662] could not allocate digest TFM handle sha1-genericm^ 7 [ 802.738043] binder: 12938:12940 got transaction to invalid handle [ 802.744455] binder: 12938:12940 transaction failed 29201/-22, size 0-0 line 2855 [ 802.859234] binder: undelivered TRANSACTION_ERROR: 29201 [ 802.865554] binder: undelivered TRANSACTION_COMPLETE 07:49:08 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r5 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r5) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:08 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)) r0 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r1 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r0) r2 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r2, 0x3, 0x12, &(0x7f00000006c0)=""/193) r3 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r4 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r3) r5 = add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r4) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) r6 = add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r0) semctl$SEM_STAT(r2, 0x4, 0x12, &(0x7f0000000980)=""/230) keyctl$dh_compute(0x17, &(0x7f0000000340)={r5, r6, r6}, &(0x7f0000000600)=""/132, 0xff7d, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:08 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:08 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300ae93fb354b467100"}}) 07:49:08 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a0e, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:08 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:08 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 803.354464] binder: BINDER_SET_CONTEXT_MGR already set [ 803.360490] binder: 12946:12952 ioctl 40046207 0 returned -16 [ 803.373595] binder: BINDER_SET_CONTEXT_MGR already set [ 803.381308] binder: 12948:12957 ioctl 40046207 0 returned -16 [ 803.387872] binder: release 12946:12952 transaction 9430 out, still active [ 803.394986] binder: unexpected work type, 4, not freed [ 803.400303] binder: undelivered TRANSACTION_COMPLETE 07:49:08 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696347f86c4db88b109f00"}}) [ 803.436648] binder: 12948:12963 got transaction to invalid handle [ 803.443111] binder: 12948:12963 transaction failed 29201/-22, size 0-0 line 2855 [ 803.476719] binder: 12946:12968 got transaction to invalid handle 07:49:08 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r5 = add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) add_key$user(&(0x7f00003bd000)='user\x00', &(0x7f0000000b00), &(0x7f00000000c0)="7f", 0x1, r5) bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffff9c}, 0x2c) add_key$user(&(0x7f0000002cc0)='user\x00', &(0x7f0000000140), &(0x7f0000000280), 0x240, r1) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:08 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:08 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 803.493449] binder: release 12938:12939 transaction 9430 in, still active [ 803.500591] binder: send failed reply for transaction 9430, target dead 07:49:08 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 803.751512] binder: release 12978:12981 transaction 9436 out, still active [ 803.758737] binder: unexpected work type, 4, not freed [ 803.764073] binder: undelivered TRANSACTION_COMPLETE 07:49:08 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r0, &(0x7f00000000c0)=""/11, 0xeb) [ 803.815618] could not allocate digest TFM handle sha1-genericGlM [ 803.839861] binder_alloc: 12978: binder_alloc_buf, no vma 07:49:08 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:09 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:09 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963ce3047bac7b04800"}}) [ 803.990624] binder: release 12978:12981 transaction 9436 in, still active [ 803.997671] binder: send failed reply for transaction 9436, target dead [ 804.170286] binder_alloc: binder_alloc_mmap_handler: 12948 20001000-20004000 already mapped failed -16 [ 804.193966] binder: 12948:13001 got transaction to invalid handle [ 804.515641] could not allocate digest TFM handle sha1-generic0GǰH 07:49:10 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:10 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:10 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:10 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:10 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7400, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:10 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:10 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963634ca62003e5d23300"}}) [ 805.975253] binder: release 13020:13027 transaction 9443 out, still active [ 805.982418] binder: unexpected work type, 4, not freed [ 805.987769] binder: undelivered TRANSACTION_COMPLETE [ 805.998085] binder: BINDER_SET_CONTEXT_MGR already set 07:49:11 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 806.020448] binder: 13018:13032 ioctl 40046207 0 returned -16 07:49:11 executing program 3: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) r4 = add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000080)='keyring\x00', &(0x7f0000000000), 0x0, 0x0, r4) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 806.075022] binder_alloc: 13020: binder_alloc_buf, no vma [ 806.080734] binder_transaction: 3 callbacks suppressed [ 806.080750] binder: 13020:13027 transaction failed 29189/-3, size 0-67108864 line 2970 [ 806.094681] binder: 13018:13039 got transaction to invalid handle [ 806.101065] binder: 13018:13039 transaction failed 29201/-22, size 0-0 line 2855 07:49:11 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x500, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 806.191219] binder: release 13020:13027 transaction 9443 in, still active [ 806.199744] binder: send failed reply for transaction 9443, target dead [ 806.207307] binder_release_work: 6 callbacks suppressed [ 806.207313] binder: undelivered TRANSACTION_ERROR: 29189 [ 806.285083] could not allocate digest TFM handle sha1-genericcL 3 07:49:11 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963c8f1dc5289c57000"}}) 07:49:11 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:11 executing program 5: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) r2 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r3 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r3, 0x3, 0x12, &(0x7f00000006c0)=""/193) add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r2) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(r3, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:11 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:11 executing program 3: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963ce3047bac7b04800"}}) [ 806.525097] binder: release 13050:13051 transaction 9449 out, still active [ 806.532245] binder: unexpected work type, 4, not freed [ 806.537583] binder: undelivered TRANSACTION_COMPLETE [ 806.545793] binder_alloc: 13050: binder_alloc_buf, no vma [ 806.551793] binder: 13050:13051 transaction failed 29189/-3, size 0-1280 line 2970 07:49:11 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c00000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 806.600704] binder: release 13050:13051 transaction 9449 in, still active [ 806.607789] binder: send failed reply for transaction 9449, target dead [ 806.614635] binder: undelivered TRANSACTION_ERROR: 29189 [ 806.699043] could not allocate digest TFM handle sha1-genericRp [ 806.775478] binder_alloc: binder_alloc_mmap_handler: 13018 20001000-20004000 already mapped failed -16 [ 806.844621] binder: 13018:13066 got transaction to invalid handle [ 806.851043] binder: 13018:13066 transaction failed 29201/-22, size 0-0 line 2855 [ 806.873946] binder: BINDER_SET_CONTEXT_MGR already set [ 806.895092] binder: 13071:13075 ioctl 40046207 0 returned -16 [ 806.910966] binder_alloc: 13018: binder_alloc_buf, no vma [ 806.916754] binder: 13071:13075 transaction failed 29189/-3, size 24-8 line 2970 [ 806.933879] binder: undelivered TRANSACTION_ERROR: 29201 [ 806.945308] binder: undelivered TRANSACTION_ERROR: 29201 [ 807.026708] binder: 13071:13081 got transaction to invalid handle [ 807.033107] binder: 13071:13081 transaction failed 29201/-22, size 0-7782220156096217088 line 2855 [ 807.045250] could not allocate digest TFM handle sha1-generic0GǰH [ 807.093879] binder: undelivered TRANSACTION_ERROR: 29201 [ 807.100355] binder: undelivered TRANSACTION_ERROR: 29189 07:49:13 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r2 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r2, 0x3, 0x12, &(0x7f00000006c0)=""/193) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(r2, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:13 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300c231fb1464508700"}}) 07:49:13 executing program 5 (fault-call:6 fault-nth:0): perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r0, &(0x7f00000000c0)=""/11, 0xeb) 07:49:13 executing program 3 (fault-call:11 fault-nth:0): r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x68, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:13 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a00000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:13 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:13 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) r4 = add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) add_key$keyring(&(0x7f0000000880)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, r4) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 808.497764] binder: release 13091:13097 transaction 9458 out, still active [ 808.505021] binder: unexpected work type, 4, not freed [ 808.510373] binder: undelivered TRANSACTION_COMPLETE [ 808.521347] binder_alloc: 13091: binder_alloc_buf, no vma [ 808.527115] binder: 13091:13097 transaction failed 29189/-3, size 0-8791026472627208192 line 2970 [ 808.559591] FAULT_INJECTION: forcing a failure. [ 808.559591] name failslab, interval 1, probability 0, space 0, times 0 [ 808.564807] binder: BINDER_SET_CONTEXT_MGR already set [ 808.571289] CPU: 0 PID: 13099 Comm: syz-executor3 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 808.585007] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 808.594404] Call Trace: [ 808.597032] dump_stack+0x1c9/0x2b4 [ 808.600675] ? dump_stack_print_info.cold.2+0x52/0x52 [ 808.601551] binder: 13092:13103 ioctl 40046207 0 returned -16 [ 808.605897] should_fail.cold.4+0xa/0x11 [ 808.605922] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 808.606024] ? fib_insert_alias+0x1200/0x1200 [ 808.606049] ? graph_lock+0x170/0x170 [ 808.629378] ? graph_lock+0x170/0x170 [ 808.629837] binder: 13092:13104 got transaction to invalid handle [ 808.633188] ? print_usage_bug+0xc0/0xc0 [ 808.633231] ? __lock_is_held+0xb5/0x140 [ 808.633262] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 808.633277] ? find_exception+0x517/0xc50 [ 808.633299] __should_failslab+0x124/0x180 [ 808.639560] binder: 13092:13104 transaction failed 29201/-22, size 0-0 line 2855 [ 808.643586] should_failslab+0x9/0x14 [ 808.643601] kmem_cache_alloc+0x47/0x710 [ 808.643618] ? find_held_lock+0x36/0x1c0 [ 808.672336] binder_alloc: binder_alloc_mmap_handler: 13092 20001000-20004000 already mapped failed -16 [ 808.672891] dst_alloc+0xbb/0x1d0 [ 808.672912] rt_dst_alloc+0x102/0x520 [ 808.672928] ? fnhe_flush_routes+0x480/0x480 [ 808.672957] ? rt_cache_valid+0xc2/0x250 [ 808.681863] binder: BINDER_SET_CONTEXT_MGR already set [ 808.690507] ? ipv4_dst_check+0x270/0x270 [ 808.690559] ip_route_output_key_hash_rcu+0xa5b/0x3500 [ 808.690596] ? ip_route_input_noref+0x270/0x270 [ 808.690613] ? mark_held_locks+0x160/0x160 [ 808.690637] ? lock_acquire+0x1e4/0x4f0 [ 808.695628] binder: 13092:13106 got transaction to invalid handle [ 808.697874] ? ip_route_output_key_hash+0x1ab/0x3b0 [ 808.697899] ? rcu_is_watching+0x8c/0x150 [ 808.697914] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 808.697939] ip_route_output_key_hash+0x242/0x3b0 [ 808.697971] ? ip_route_output_key_hash_rcu+0x3500/0x3500 [ 808.702408] binder: 13092:13106 transaction failed 29201/-22, size 0-0 line 2855 [ 808.706446] ? __lock_is_held+0xb5/0x140 [ 808.706468] ip_route_output_flow+0x28/0xc0 [ 808.706487] tcp_v4_connect+0x7f9/0x1d70 [ 808.712223] binder: 13092:13103 ioctl 40046207 0 returned -16 [ 808.715930] ? tcp_v4_parse_md5_keys+0x340/0x340 [ 808.715958] ? find_held_lock+0x36/0x1c0 [ 808.715993] __inet_stream_connect+0x964/0x1160 [ 808.716024] ? __local_bh_enable_ip+0x161/0x230 [ 808.716046] ? inet_dgram_connect+0x2e0/0x2e0 [ 808.722005] binder: undelivered TRANSACTION_ERROR: 29201 [ 808.725989] ? trace_hardirqs_on+0xbd/0x2c0 [ 808.726004] ? lock_release+0x9f0/0x9f0 [ 808.726020] ? lock_sock_nested+0xe7/0x120 [ 808.726035] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 808.726051] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 808.726069] ? kasan_check_write+0x14/0x20 [ 808.726088] ? lock_sock_nested+0x9f/0x120 [ 808.734128] binder: undelivered TRANSACTION_ERROR: 29201 [ 808.734281] ? __local_bh_enable_ip+0x161/0x230 07:49:13 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r2 = semget$private(0x0, 0x1, 0x100) semctl$SEM_STAT(r2, 0x3, 0x12, &(0x7f00000006c0)=""/193) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(r2, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:13 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696354e33ef49b46ba00"}}) 07:49:13 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 808.734307] inet_stream_connect+0x58/0xa0 [ 808.863805] __sys_connect+0x37d/0x4c0 [ 808.867678] ? __ia32_sys_accept+0xb0/0xb0 [ 808.871911] ? __sb_end_write+0xac/0xe0 [ 808.875886] ? fput+0x130/0x1a0 [ 808.879163] ? do_syscall_64+0x9a/0x820 [ 808.883170] ? do_syscall_64+0x9a/0x820 [ 808.887155] ? lockdep_hardirqs_on+0x421/0x5c0 [ 808.891746] ? trace_hardirqs_on+0xbd/0x2c0 [ 808.896067] ? __ia32_sys_read+0xb0/0xb0 [ 808.900129] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 808.905771] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 808.910914] ? ksys_ioctl+0x81/0xd0 [ 808.914558] __x64_sys_connect+0x73/0xb0 [ 808.915558] binder: release 13091:13097 transaction 9458 in, still active [ 808.918628] do_syscall_64+0x1b9/0x820 [ 808.918645] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 808.918661] ? syscall_return_slowpath+0x5e0/0x5e0 [ 808.918677] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 808.918692] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 808.918705] ? recalc_sigpending_tsk+0x180/0x180 [ 808.918720] ? kasan_check_write+0x14/0x20 [ 808.918740] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 808.918763] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 808.918776] RIP: 0033:0x457099 [ 808.918793] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 808.918801] RSP: 002b:00007f2722612c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 808.918816] RAX: ffffffffffffffda RBX: 00007f27226136d4 RCX: 0000000000457099 07:49:14 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x60000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 808.918824] RDX: 0000000000000010 RSI: 0000000020000080 RDI: 0000000000000005 [ 808.918832] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 808.918841] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006 [ 808.918850] R13: 00000000004cbba8 R14: 00000000004c3424 R15: 0000000000000000 [ 809.041056] binder: send failed reply for transaction 9458, target dead [ 809.047857] binder: undelivered TRANSACTION_ERROR: 29189 [ 809.131539] binder: release 13111:13115 transaction 9465 out, still active [ 809.138662] binder: unexpected work type, 4, not freed [ 809.144012] binder: undelivered TRANSACTION_COMPLETE [ 809.194370] binder_alloc: 13111: binder_alloc_buf, no vma [ 809.200003] binder: 13111:13115 transaction failed 29189/-3, size 0-1610612736 line 2970 [ 809.242132] binder: BINDER_SET_CONTEXT_MGR already set 07:49:14 executing program 3 (fault-call:11 fault-nth:1): r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:14 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:14 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 809.292762] binder: 13122:13124 ioctl 40046207 0 returned -16 [ 809.320985] binder: release 13111:13115 transaction 9465 in, still active [ 809.328017] binder: send failed reply for transaction 9465, target dead [ 809.334848] binder: undelivered TRANSACTION_ERROR: 29189 07:49:14 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) r2 = semget$private(0x0, 0x1, 0x100) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(r2, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 809.391088] binder: 13122:13127 got transaction to invalid handle [ 809.427808] could not allocate digest TFM handle sha1-genericT>F 07:49:14 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269638500d334f475122f00"}}) [ 809.620381] binder: release 13142:13146 transaction 9471 out, still active [ 809.627677] binder: unexpected work type, 4, not freed [ 809.633035] binder: undelivered TRANSACTION_COMPLETE [ 809.658221] FAULT_INJECTION: forcing a failure. [ 809.658221] name failslab, interval 1, probability 0, space 0, times 0 [ 809.669856] CPU: 1 PID: 13147 Comm: syz-executor3 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 809.678384] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 809.687765] Call Trace: [ 809.690383] dump_stack+0x1c9/0x2b4 [ 809.694037] ? dump_stack_print_info.cold.2+0x52/0x52 [ 809.699268] should_fail.cold.4+0xa/0x11 [ 809.703384] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 809.708506] ? kasan_check_read+0x11/0x20 [ 809.712672] ? rcu_is_watching+0x8c/0x150 [ 809.716845] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 809.721538] ? graph_lock+0x170/0x170 [ 809.725361] ? is_bpf_text_address+0xd7/0x170 [ 809.729875] ? find_held_lock+0x36/0x1c0 [ 809.733962] ? __lock_is_held+0xb5/0x140 [ 809.738053] ? check_same_owner+0x340/0x340 [ 809.742407] ? print_usage_bug+0xc0/0xc0 [ 809.746487] ? rcu_note_context_switch+0x680/0x680 [ 809.751444] ? ip_route_output_flow+0x28/0xc0 [ 809.755958] ? tcp_v4_connect+0x7f9/0x1d70 [ 809.760217] __should_failslab+0x124/0x180 [ 809.764474] should_failslab+0x9/0x14 [ 809.768295] kmem_cache_alloc_node+0x256/0x720 [ 809.772928] __alloc_skb+0x119/0x770 [ 809.776661] ? skb_scrub_packet+0x490/0x490 [ 809.781038] ? __lock_is_held+0xb5/0x140 [ 809.785124] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 809.790851] ? tcp_chrono_stop+0x25f/0x590 [ 809.795100] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 809.800655] ? tcp_chrono_start+0x1e0/0x1e0 [ 809.804990] ? graph_lock+0x170/0x170 [ 809.808815] sk_stream_alloc_skb+0x141/0x970 [ 809.813263] ? tcp_init_transfer+0x470/0x470 [ 809.817687] ? __lock_is_held+0xb5/0x140 [ 809.821784] tcp_connect+0x12bc/0x47f0 [ 809.825704] ? tcp_push_one+0x110/0x110 [ 809.829734] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 809.834523] ? pvclock_read_flags+0x160/0x160 [ 809.839050] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 809.844091] ? ktime_get_with_offset+0x32e/0x4b0 [ 809.848883] ? ktime_get+0x440/0x440 [ 809.852640] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 809.858215] ? tcp_fastopen_cookie_check+0x340/0x340 [ 809.863339] ? secure_tcp_ts_off+0xe6/0x1a0 [ 809.867679] ? secure_ipv6_port_ephemeral+0x2f0/0x2f0 [ 809.872876] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 809.878412] tcp_v4_connect+0x1950/0x1d70 [ 809.882593] ? tcp_v4_parse_md5_keys+0x340/0x340 [ 809.887356] ? find_held_lock+0x36/0x1c0 [ 809.891449] __inet_stream_connect+0x964/0x1160 [ 809.896147] ? __local_bh_enable_ip+0x161/0x230 [ 809.900835] ? inet_dgram_connect+0x2e0/0x2e0 [ 809.905326] ? trace_hardirqs_on+0xbd/0x2c0 [ 809.909635] ? lock_release+0x9f0/0x9f0 [ 809.913622] ? lock_sock_nested+0xe7/0x120 [ 809.918053] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 809.923195] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 809.927791] ? kasan_check_write+0x14/0x20 [ 809.932042] ? lock_sock_nested+0x9f/0x120 [ 809.936319] ? __local_bh_enable_ip+0x161/0x230 [ 809.941019] inet_stream_connect+0x58/0xa0 [ 809.945280] __sys_connect+0x37d/0x4c0 [ 809.949183] ? __ia32_sys_accept+0xb0/0xb0 [ 809.953436] ? __sb_end_write+0xac/0xe0 [ 809.957424] ? fput+0x130/0x1a0 [ 809.960737] ? do_syscall_64+0x9a/0x820 [ 809.964739] ? do_syscall_64+0x9a/0x820 [ 809.968736] ? lockdep_hardirqs_on+0x421/0x5c0 [ 809.973333] ? trace_hardirqs_on+0xbd/0x2c0 [ 809.977668] ? __ia32_sys_read+0xb0/0xb0 [ 809.981753] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 809.987133] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 809.992252] ? ksys_ioctl+0x81/0xd0 [ 809.995901] __x64_sys_connect+0x73/0xb0 [ 809.999978] do_syscall_64+0x1b9/0x820 [ 810.003882] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 810.009260] ? syscall_return_slowpath+0x5e0/0x5e0 [ 810.014205] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 810.019258] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 810.024288] ? recalc_sigpending_tsk+0x180/0x180 [ 810.029075] ? kasan_check_write+0x14/0x20 [ 810.033340] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 810.038223] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 810.043419] RIP: 0033:0x457099 [ 810.046649] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 07:49:15 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 810.065579] RSP: 002b:00007f2722612c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 810.073305] RAX: ffffffffffffffda RBX: 00007f27226136d4 RCX: 0000000000457099 [ 810.080583] RDX: 0000000000000010 RSI: 0000000020000080 RDI: 0000000000000005 [ 810.087883] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 810.095166] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006 [ 810.102444] R13: 00000000004cbba8 R14: 00000000004c3424 R15: 0000000000000001 [ 810.113741] binder_alloc: binder_alloc_mmap_handler: 13122 20001000-20004000 already mapped failed -16 [ 810.141550] binder: BINDER_SET_CONTEXT_MGR already set [ 810.154553] binder_alloc: 13142: binder_alloc_buf, no vma [ 810.162123] binder: 13122:13127 ioctl 40046207 0 returned -16 [ 810.181088] binder: 13122:13154 got transaction to invalid handle [ 810.346685] binder: release 13142:13146 transaction 9471 in, still active [ 810.353720] binder: send failed reply for transaction 9471, target dead [ 810.434043] could not allocate digest TFM handle sha1-generic 07:49:16 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r0, &(0x7f00000000c0)=""/11, 0xeb) 07:49:16 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x12, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:16 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:16 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:16 executing program 3 (fault-call:11 fault-nth:2): r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 811.592451] binder: BINDER_SET_CONTEXT_MGR already set [ 811.601374] FAULT_INJECTION: forcing a failure. [ 811.601374] name failslab, interval 1, probability 0, space 0, times 0 [ 811.612926] CPU: 1 PID: 13179 Comm: syz-executor3 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 811.621427] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 811.630809] Call Trace: [ 811.633414] dump_stack+0x1c9/0x2b4 [ 811.637062] ? dump_stack_print_info.cold.2+0x52/0x52 [ 811.642265] ? graph_lock+0x170/0x170 [ 811.646116] should_fail.cold.4+0xa/0x11 [ 811.650211] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 811.655330] ? __lock_acquire+0x7fc/0x5020 [ 811.659593] ? print_usage_bug+0xc0/0xc0 [ 811.663812] ? __update_load_avg_blocked_se+0x730/0x730 [ 811.669191] ? print_usage_bug+0xc0/0xc0 [ 811.673266] ? __update_load_avg_se+0xb80/0xb80 [ 811.677950] ? __lock_is_held+0xb5/0x140 [ 811.682026] ? graph_lock+0x170/0x170 [ 811.685840] ? print_usage_bug+0xc0/0xc0 [ 811.689913] ? __lock_acquire+0x7fc/0x5020 [ 811.694179] ? print_usage_bug+0xc0/0xc0 [ 811.698279] ? __update_load_avg_blocked_se+0x730/0x730 [ 811.703660] ? find_held_lock+0x36/0x1c0 [ 811.707845] ? lock_downgrade+0x8f0/0x8f0 [ 811.712005] ? __nf_conntrack_find_get.part.43+0xf0c/0x1bd0 [ 811.717738] ? __nf_conntrack_find_get.part.43+0xf0c/0x1bd0 [ 811.723486] __should_failslab+0x124/0x180 [ 811.727745] should_failslab+0x9/0x14 [ 811.731584] kmem_cache_alloc+0x47/0x710 [ 811.735700] __nf_conntrack_alloc+0x1b1/0x7e0 [ 811.740253] ? early_drop+0xc20/0xc20 [ 811.744067] ? __lock_acquire+0x7fc/0x5020 [ 811.748327] ? mark_held_locks+0x160/0x160 [ 811.752593] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 811.757813] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 811.763367] init_conntrack+0xfeb/0x1380 [ 811.767458] ? nf_conntrack_alloc+0x50/0x50 [ 811.771808] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 811.777016] ? lock_acquire+0x1e4/0x4f0 [ 811.781023] ? nf_conntrack_in+0x571/0x1150 [ 811.785355] ? get_l4proto+0x600/0x600 [ 811.789253] ? rcu_is_watching+0x8c/0x150 [ 811.793445] nf_conntrack_in+0xb67/0x1150 [ 811.797616] ? nf_conntrack_update+0xba0/0xba0 [ 811.802219] ? lock_downgrade+0x8f0/0x8f0 [ 811.806471] ? icmp_checkentry+0x90/0x90 [ 811.810577] ? graph_lock+0x170/0x170 [ 811.814409] ? lock_acquire+0x1d0/0x4f0 [ 811.818420] ? nf_ct_l4proto_unregister_sysctl.isra.14+0x130/0x130 [ 811.824754] ipv4_conntrack_local+0x1bc/0x290 [ 811.829260] nf_hook_slow+0xc2/0x1c0 [ 811.832989] __ip_local_out+0x56d/0xb50 [ 811.836971] ? ip_finish_output+0xfa0/0xfa0 [ 811.841316] ? ip_append_data.part.48+0x180/0x180 [ 811.846210] ? __lock_is_held+0xb5/0x140 [ 811.850300] ip_local_out+0x2d/0x1b0 [ 811.854026] __ip_queue_xmit+0x9b6/0x1f20 [ 811.858214] ? ip_build_and_send_pkt+0xc80/0xc80 [ 811.862985] ? refcount_dec_if_one+0x180/0x180 [ 811.867578] ? __build_flow_key.constprop.54+0x581/0x5f0 [ 811.873038] ? skb_split+0x11f0/0x11f0 [ 811.876934] ? __lock_is_held+0xb5/0x140 [ 811.881008] ip_queue_xmit+0x56/0x70 [ 811.884740] __tcp_transmit_skb+0x1cd2/0x4000 [ 811.889256] ? __tcp_select_window+0x9f0/0x9f0 [ 811.893840] ? trace_hardirqs_on+0xbd/0x2c0 [ 811.898164] ? sk_forced_mem_schedule+0x13b/0x170 [ 811.903028] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 811.908141] ? skb_scrub_packet+0x490/0x490 [ 811.912481] ? mem_cgroup_charge_skmem+0x183/0x350 [ 811.917421] ? mem_cgroup_sk_free+0x90/0x90 [ 811.921760] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 811.927306] ? tcp_chrono_stop+0x25f/0x590 [ 811.931549] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 811.937127] ? graph_lock+0x170/0x170 [ 811.940943] ? pvclock_read_flags+0x160/0x160 [ 811.945486] ? kasan_check_write+0x14/0x20 [ 811.949745] ? tcp_rbtree_insert+0x14c/0x1a0 [ 811.954169] tcp_connect+0x33f1/0x47f0 [ 811.958113] ? tcp_push_one+0x110/0x110 [ 811.962097] ? mark_held_locks+0xc9/0x160 [ 811.966261] ? ktime_get_with_offset+0x3a9/0x4b0 [ 811.971039] ? ktime_get_with_offset+0x3a9/0x4b0 [ 811.975805] ? pvclock_read_flags+0x160/0x160 [ 811.980308] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 811.985443] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 811.990468] ? ktime_get_with_offset+0x32e/0x4b0 [ 811.995237] ? ktime_get+0x440/0x440 [ 811.998995] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 812.004539] ? tcp_fastopen_cookie_check+0x340/0x340 [ 812.009655] ? secure_tcp_ts_off+0xe6/0x1a0 [ 812.013989] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 812.019553] tcp_v4_connect+0x1950/0x1d70 [ 812.023713] ? tcp_v4_parse_md5_keys+0x340/0x340 [ 812.028476] ? find_held_lock+0x36/0x1c0 [ 812.032551] __inet_stream_connect+0x964/0x1160 [ 812.037258] ? __local_bh_enable_ip+0x161/0x230 [ 812.041935] ? inet_dgram_connect+0x2e0/0x2e0 [ 812.046438] ? trace_hardirqs_on+0xbd/0x2c0 [ 812.050763] ? lock_release+0x9f0/0x9f0 [ 812.054747] ? lock_sock_nested+0xe7/0x120 [ 812.058992] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 812.064101] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 812.068688] ? kasan_check_write+0x14/0x20 [ 812.072937] ? lock_sock_nested+0x9f/0x120 [ 812.077193] ? __local_bh_enable_ip+0x161/0x230 [ 812.081901] inet_stream_connect+0x58/0xa0 [ 812.086146] __sys_connect+0x37d/0x4c0 [ 812.090043] ? __ia32_sys_accept+0xb0/0xb0 [ 812.094290] ? __sb_end_write+0xac/0xe0 [ 812.098277] ? fput+0x130/0x1a0 [ 812.101564] ? do_syscall_64+0x9a/0x820 [ 812.105560] ? do_syscall_64+0x9a/0x820 [ 812.109587] ? lockdep_hardirqs_on+0x421/0x5c0 [ 812.114177] ? trace_hardirqs_on+0xbd/0x2c0 [ 812.118510] ? __ia32_sys_read+0xb0/0xb0 [ 812.122586] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 812.127954] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 812.133068] ? ksys_ioctl+0x81/0xd0 [ 812.136712] __x64_sys_connect+0x73/0xb0 [ 812.140791] do_syscall_64+0x1b9/0x820 [ 812.144686] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 812.150075] ? syscall_return_slowpath+0x5e0/0x5e0 [ 812.155027] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 812.159914] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 812.164938] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 812.169963] ? prepare_exit_to_usermode+0x291/0x3b0 [ 812.174998] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 812.179856] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 812.185046] RIP: 0033:0x457099 [ 812.188249] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 812.207153] RSP: 002b:00007f2722612c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 812.214899] RAX: ffffffffffffffda RBX: 00007f27226136d4 RCX: 0000000000457099 [ 812.222208] RDX: 0000000000000010 RSI: 0000000020000080 RDI: 0000000000000005 [ 812.229480] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 812.236754] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006 [ 812.244027] R13: 00000000004cbba8 R14: 00000000004c3424 R15: 0000000000000002 [ 812.252046] binder: 13178:13182 ioctl 40046207 0 returned -16 [ 812.257469] binder: 13177:13183 got transaction to invalid handle [ 812.264310] binder_transaction: 3 callbacks suppressed [ 812.264328] binder: 13177:13183 transaction failed 29201/-22, size 0-0 line 2855 [ 812.264521] binder: release 13178:13182 transaction 9478 out, still active [ 812.284630] binder: unexpected work type, 4, not freed [ 812.288422] binder_alloc: binder_alloc_mmap_handler: 13177 20001000-20004000 already mapped failed -16 [ 812.289955] binder: undelivered TRANSACTION_COMPLETE [ 812.305422] binder: BINDER_SET_CONTEXT_MGR already set [ 812.311322] binder: 13177:13181 ioctl 40046207 0 returned -16 [ 812.317980] binder: 13177:13183 got transaction to invalid handle [ 812.324319] binder: 13177:13183 transaction failed 29201/-22, size 0-0 line 2855 [ 812.332233] binder: release 13177:13181 transaction 9478 in, still active [ 812.339223] binder: send failed reply for transaction 9478, target dead [ 812.346073] binder_release_work: 3 callbacks suppressed [ 812.346079] binder: undelivered TRANSACTION_ERROR: 29201 [ 812.357007] binder: 13178:13186 got transaction to invalid handle [ 812.363316] binder: 13178:13186 transaction failed 29201/-22, size 0-1811939328 line 2855 [ 812.372274] binder: undelivered TRANSACTION_ERROR: 29201 07:49:17 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630044c282e3b4479400"}}) 07:49:17 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:17 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:17 executing program 3 (fault-call:11 fault-nth:3): r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:17 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6000000000000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:17 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:17 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 812.544707] binder: undelivered TRANSACTION_ERROR: 29201 [ 812.617697] FAULT_INJECTION: forcing a failure. [ 812.617697] name failslab, interval 1, probability 0, space 0, times 0 [ 812.629062] CPU: 1 PID: 13207 Comm: syz-executor3 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 812.637565] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 812.646940] Call Trace: [ 812.649545] dump_stack+0x1c9/0x2b4 [ 812.653217] ? dump_stack_print_info.cold.2+0x52/0x52 [ 812.658447] ? mark_held_locks+0x160/0x160 [ 812.662713] should_fail.cold.4+0xa/0x11 [ 812.666798] ? __save_stack_trace+0x8d/0xf0 [ 812.671134] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 812.676265] ? save_stack+0xa9/0xd0 [ 812.679913] ? kasan_kmalloc+0xc4/0xe0 [ 812.683812] ? kasan_slab_alloc+0x12/0x20 [ 812.687984] ? kmem_cache_alloc+0x12e/0x710 [ 812.692337] ? __nf_conntrack_alloc+0x1b1/0x7e0 [ 812.697135] ? init_conntrack+0xfeb/0x1380 [ 812.701390] ? nf_conntrack_in+0xb67/0x1150 [ 812.705762] ? ipv4_conntrack_local+0x1bc/0x290 [ 812.710446] ? nf_hook_slow+0xc2/0x1c0 [ 812.714367] ? __ip_local_out+0x56d/0xb50 [ 812.718532] ? ip_local_out+0x2d/0x1b0 [ 812.722434] ? __ip_queue_xmit+0x9b6/0x1f20 [ 812.726766] ? ip_queue_xmit+0x56/0x70 [ 812.730679] ? __tcp_transmit_skb+0x1cd2/0x4000 [ 812.735399] ? tcp_connect+0x33f1/0x47f0 [ 812.739504] ? tcp_v4_connect+0x1950/0x1d70 [ 812.743853] ? __inet_stream_connect+0x964/0x1160 [ 812.748713] ? inet_stream_connect+0x58/0xa0 [ 812.753171] ? graph_lock+0x170/0x170 [ 812.757000] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 812.762380] ? find_held_lock+0x36/0x1c0 [ 812.766463] ? graph_lock+0x170/0x170 [ 812.770283] ? find_held_lock+0x36/0x1c0 [ 812.774371] __should_failslab+0x124/0x180 [ 812.778641] should_failslab+0x9/0x14 [ 812.782457] __kmalloc_track_caller+0x5f/0x720 [ 812.787063] ? kasan_check_read+0x11/0x20 [ 812.791229] ? rcu_is_watching+0x8c/0x150 [ 812.795636] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 812.800334] ? nf_ct_ext_add+0x370/0x7b0 [ 812.804414] __krealloc+0x6f/0xb0 [ 812.807882] nf_ct_ext_add+0x370/0x7b0 [ 812.811811] ? nf_ct_ext_destroy+0x380/0x380 [ 812.816226] ? tcp_new+0x246/0xa80 [ 812.819795] ? tcp_options.isra.14+0x570/0x570 [ 812.824394] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 812.829590] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 812.835135] init_conntrack+0x5d2/0x1380 [ 812.839224] ? nf_conntrack_alloc+0x50/0x50 [ 812.843560] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 812.848768] ? lock_acquire+0x1e4/0x4f0 [ 812.852771] ? nf_conntrack_in+0x571/0x1150 [ 812.857104] ? get_l4proto+0x600/0x600 [ 812.861012] ? rcu_is_watching+0x8c/0x150 07:49:17 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:17 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:17 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963603c6184d82bdd4100"}}) [ 812.865181] nf_conntrack_in+0xb67/0x1150 [ 812.869383] ? nf_conntrack_update+0xba0/0xba0 [ 812.873985] ? lock_downgrade+0x8f0/0x8f0 [ 812.878156] ? icmp_checkentry+0x90/0x90 [ 812.882235] ? graph_lock+0x170/0x170 [ 812.886038] ? lock_acquire+0x1d0/0x4f0 [ 812.890021] ? nf_ct_l4proto_unregister_sysctl.isra.14+0x130/0x130 [ 812.896364] ipv4_conntrack_local+0x1bc/0x290 [ 812.900884] nf_hook_slow+0xc2/0x1c0 [ 812.904629] __ip_local_out+0x56d/0xb50 [ 812.908631] ? ip_finish_output+0xfa0/0xfa0 [ 812.912972] ? ip_append_data.part.48+0x180/0x180 [ 812.917843] ? __lock_is_held+0xb5/0x140 [ 812.921931] ip_local_out+0x2d/0x1b0 [ 812.925684] __ip_queue_xmit+0x9b6/0x1f20 [ 812.929866] ? ip_build_and_send_pkt+0xc80/0xc80 [ 812.934641] ? refcount_dec_if_one+0x180/0x180 [ 812.939240] ? __build_flow_key.constprop.54+0x581/0x5f0 [ 812.944730] ? skb_split+0x11f0/0x11f0 [ 812.948644] ? __lock_is_held+0xb5/0x140 [ 812.952733] ip_queue_xmit+0x56/0x70 [ 812.956480] __tcp_transmit_skb+0x1cd2/0x4000 [ 812.961013] ? __tcp_select_window+0x9f0/0x9f0 [ 812.965609] ? trace_hardirqs_on+0xbd/0x2c0 [ 812.969946] ? sk_forced_mem_schedule+0x13b/0x170 [ 812.974824] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 812.979936] ? skb_scrub_packet+0x490/0x490 [ 812.984307] ? mem_cgroup_charge_skmem+0x183/0x350 [ 812.989253] ? mem_cgroup_sk_free+0x90/0x90 [ 812.993591] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 812.999141] ? tcp_chrono_stop+0x25f/0x590 [ 813.003392] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 813.008950] ? graph_lock+0x170/0x170 [ 813.012797] ? pvclock_read_flags+0x160/0x160 [ 813.017309] ? kasan_check_write+0x14/0x20 [ 813.021569] ? tcp_rbtree_insert+0x14c/0x1a0 [ 813.026010] tcp_connect+0x33f1/0x47f0 [ 813.029923] ? tcp_push_one+0x110/0x110 [ 813.033919] ? mark_held_locks+0xc9/0x160 [ 813.038085] ? ktime_get_with_offset+0x3a9/0x4b0 [ 813.042854] ? ktime_get_with_offset+0x3a9/0x4b0 [ 813.047626] ? pvclock_read_flags+0x160/0x160 [ 813.052132] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 813.057261] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 813.062298] ? ktime_get_with_offset+0x32e/0x4b0 [ 813.067078] ? ktime_get+0x440/0x440 [ 813.070817] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 813.076375] ? tcp_fastopen_cookie_check+0x340/0x340 [ 813.081497] ? secure_tcp_ts_off+0xe6/0x1a0 [ 813.085857] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 813.091411] tcp_v4_connect+0x1950/0x1d70 [ 813.095602] ? tcp_v4_parse_md5_keys+0x340/0x340 [ 813.100377] ? find_held_lock+0x36/0x1c0 [ 813.104468] __inet_stream_connect+0x964/0x1160 [ 813.109158] ? __local_bh_enable_ip+0x161/0x230 [ 813.113845] ? inet_dgram_connect+0x2e0/0x2e0 [ 813.118356] ? trace_hardirqs_on+0xbd/0x2c0 [ 813.122694] ? lock_release+0x9f0/0x9f0 [ 813.126695] ? lock_sock_nested+0xe7/0x120 [ 813.130949] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 813.136068] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 813.140669] ? kasan_check_write+0x14/0x20 [ 813.144920] ? lock_sock_nested+0x9f/0x120 [ 813.149173] ? __local_bh_enable_ip+0x161/0x230 [ 813.153865] inet_stream_connect+0x58/0xa0 [ 813.158115] __sys_connect+0x37d/0x4c0 [ 813.162040] ? __ia32_sys_accept+0xb0/0xb0 [ 813.166328] ? __sb_end_write+0xac/0xe0 [ 813.170333] ? fput+0x130/0x1a0 [ 813.173656] ? do_syscall_64+0x9a/0x820 [ 813.177668] ? do_syscall_64+0x9a/0x820 [ 813.181652] ? lockdep_hardirqs_on+0x421/0x5c0 [ 813.186280] ? trace_hardirqs_on+0xbd/0x2c0 [ 813.190618] ? __ia32_sys_read+0xb0/0xb0 [ 813.194696] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 813.200104] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 813.205223] __x64_sys_connect+0x73/0xb0 [ 813.209312] do_syscall_64+0x1b9/0x820 [ 813.213234] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 813.218623] ? syscall_return_slowpath+0x5e0/0x5e0 [ 813.223568] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 813.228605] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 813.233631] ? recalc_sigpending_tsk+0x180/0x180 [ 813.238403] ? kasan_check_write+0x14/0x20 [ 813.242689] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 813.247567] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 813.252762] RIP: 0033:0x457099 [ 813.255963] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 813.274876] RSP: 002b:00007f2722612c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 813.282598] RAX: ffffffffffffffda RBX: 00007f27226136d4 RCX: 0000000000457099 [ 813.289879] RDX: 0000000000000010 RSI: 0000000020000080 RDI: 0000000000000005 [ 813.297159] RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 [ 813.304438] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006 [ 813.311715] R13: 00000000004cbba8 R14: 00000000004c3424 R15: 0000000000000003 07:49:18 executing program 3 (fault-call:11 fault-nth:4): r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 813.430587] binder: 13206:13226 got transaction to invalid handle [ 813.433310] binder: BINDER_SET_CONTEXT_MGR already set [ 813.436981] binder: 13206:13226 transaction failed 29201/-22, size 0-0 line 2855 [ 813.522496] binder_alloc: binder_alloc_mmap_handler: 13206 20001000-20004000 already mapped failed -16 [ 813.540628] binder: release 13222:13231 transaction 9485 out, still active [ 813.547860] binder: unexpected work type, 4, not freed [ 813.553253] binder: undelivered TRANSACTION_COMPLETE [ 813.614731] binder: BINDER_SET_CONTEXT_MGR already set [ 813.622792] binder: 13222:13225 ioctl 40046207 0 returned -16 [ 813.640393] binder: 13206:13213 ioctl 40046207 0 returned -16 [ 813.648609] binder: 13206:13236 got transaction to invalid handle [ 813.655067] binder: 13206:13236 transaction failed 29201/-22, size 0-0 line 2855 [ 813.672207] could not allocate digest TFM handle sha1-generic`0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:20 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:20 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963009a690f6adfea9e00"}}) 07:49:20 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:20 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:20 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x750e0000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 815.238852] binder: release 13250:13256 transaction 9491 out, still active [ 815.246045] binder: unexpected work type, 4, not freed [ 815.251393] binder: undelivered TRANSACTION_COMPLETE [ 815.257715] binder: BINDER_SET_CONTEXT_MGR already set [ 815.279378] binder: 13246:13252 ioctl 40046207 0 returned -16 07:49:20 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x3, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:20 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963c17567ed9b7e5c00"}}) [ 815.373081] binder: 13246:13261 got transaction to invalid handle [ 815.379496] binder: 13246:13261 transaction failed 29201/-22, size 0-0 line 2855 [ 815.399332] binder_alloc: 13250: binder_alloc_buf, no vma [ 815.405049] binder: 13250:13256 transaction failed 29189/-3, size 0-1963851776 line 2970 07:49:20 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 815.528599] binder: release 13250:13256 transaction 9491 in, still active [ 815.535730] binder: send failed reply for transaction 9491, target dead [ 815.542581] binder: undelivered TRANSACTION_ERROR: 29189 [ 815.848297] could not allocate digest TFM handle sha1-genericug~\ [ 815.892035] could not allocate digest TFM handle sha1-genericug~\ [ 816.020303] binder_alloc: binder_alloc_mmap_handler: 13246 20001000-20004000 already mapped failed -16 [ 816.066456] binder: 13246:13285 got transaction to invalid handle [ 816.072844] binder: 13246:13285 transaction failed 29201/-22, size 0-0 line 2855 [ 816.099760] binder: undelivered TRANSACTION_ERROR: 29201 [ 816.107935] binder: undelivered TRANSACTION_ERROR: 29201 07:49:21 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:21 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:21 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x600000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:21 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:21 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x5, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:21 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269635375e17d0deddc00"}}) [ 816.270931] binder: release 13292:13298 transaction 9499 out, still active [ 816.278216] binder: unexpected work type, 4, not freed [ 816.283554] binder: undelivered TRANSACTION_COMPLETE [ 816.292614] binder_alloc: 13292: binder_alloc_buf, no vma [ 816.298285] binder: 13292:13298 transaction failed 29189/-3, size 0-432345564227567616 line 2970 [ 816.349798] could not allocate digest TFM handle sha1-genericSu} [ 816.400220] binder: release 13292:13298 transaction 9499 in, still active [ 816.407238] binder: send failed reply for transaction 9499, target dead [ 816.414067] binder: undelivered TRANSACTION_ERROR: 29189 07:49:22 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r0, &(0x7f00000000c0)=""/11, 0x200001ab) 07:49:22 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x88f40300, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:22 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:22 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x8, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:22 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x34f3030000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:22 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963c75adaf0eb950c00"}}) 07:49:22 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 817.911611] binder: BINDER_SET_CONTEXT_MGR already set [ 817.928882] binder: 13322:13329 ioctl 40046207 0 returned -16 [ 817.962075] binder_alloc: 13322: binder_alloc_buf, no vma [ 817.967808] binder: 13321:13327 transaction failed 29189/-3, size 0-0 line 2970 07:49:23 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0xa, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 818.030049] could not allocate digest TFM handle sha1-genericZ [ 818.042071] binder: 13322:13342 got transaction to invalid handle [ 818.048460] binder: 13322:13342 transaction failed 29201/-22, size 0-3815396607847825408 line 2855 07:49:23 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:23 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300ace2a6f93764b800"}}) [ 818.114494] binder_alloc: binder_alloc_mmap_handler: 13321 20001000-20004000 already mapped failed -16 [ 818.160776] binder: BINDER_SET_CONTEXT_MGR already set [ 818.191308] binder: 13321:13327 ioctl 40046207 0 returned -16 [ 818.219081] binder: 13321:13351 got transaction to invalid handle [ 818.225516] binder: 13321:13351 transaction failed 29201/-22, size 0-0 line 2855 [ 818.260648] binder: release 13321:13327 transaction 9504 in, still active [ 818.267750] binder: send failed reply for transaction 9504 to 13322:13342 [ 818.274767] binder: undelivered TRANSACTION_ERROR: 29189 [ 818.320820] binder: undelivered TRANSACTION_ERROR: 29201 [ 818.753008] binder: undelivered TRANSACTION_ERROR: 29201 [ 818.758861] binder: undelivered TRANSACTION_COMPLETE [ 818.764068] binder: undelivered TRANSACTION_ERROR: 29189 07:49:23 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x700, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:23 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:23 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x240, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:23 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:23 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269635693b29aa04ba75f00"}}) [ 819.065562] binder: 13374:13390 got transaction to invalid handle [ 819.071932] binder: 13374:13390 transaction failed 29201/-22, size 0-0 line 2855 [ 819.140778] could not allocate digest TFM handle sha1-genericVK_ [ 819.189971] could not allocate digest TFM handle sha1-genericVK_ [ 819.815350] binder_alloc: binder_alloc_mmap_handler: 13374 20001000-20004000 already mapped failed -16 [ 819.825489] binder: BINDER_SET_CONTEXT_MGR already set [ 819.831142] binder: 13374:13390 ioctl 40046207 0 returned -16 [ 819.838945] binder: 13374:13405 got transaction to invalid handle [ 819.845277] binder: 13374:13405 transaction failed 29201/-22, size 0-0 line 2855 [ 819.853614] binder: undelivered TRANSACTION_ERROR: 29201 [ 819.861404] binder: undelivered TRANSACTION_ERROR: 29201 07:49:25 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x4, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:25 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x700000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:25 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:25 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963b12d00936bd43000"}}) 07:49:25 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:25 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:25 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = accept4(0xffffffffffffffff, 0x0, &(0x7f0000000080), 0x80000) setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000100)='scalable\x00', 0x9) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) write$nbd(r0, &(0x7f0000000240)=ANY=[@ANYBLOB="674466980000000000000100010000005fd24e6a4802e106639fb41f25f6374581bc6cbc9df6b5f3474b5c678a14720317b2f555d535e21a5f418dd1960eabd1b9d21ee3760b17f88cf3cfb868912630989cc09eb0abf14594a3b1131b88e90cc5d5b08c742db83467698fc2106f8e362cd9e268e7ea0cb6ba52b249b94410d4570d00"], 0x15) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f00000001c0)='IPVS\x00') sendmsg$IPVS_CMD_GET_DEST(r0, &(0x7f00000003c0)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000200)={&(0x7f0000000300)={0x8c, r2, 0x101, 0x70bd2d, 0x25dfdbfd, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}, @IPVS_CMD_ATTR_DEST={0xc, 0x2, [@IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x3}, @IPVS_CMD_ATTR_DEST={0x54, 0x2, [@IPVS_DEST_ATTR_PERSIST_CONNS={0x8}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e21}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x8}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e20}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x14}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x3}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0xffffffffffffff1b}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x5}]}]}, 0x8c}, 0x1, 0x0, 0x0, 0x8000}, 0x40) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$int_out(r1, 0x5460, &(0x7f0000000140)) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) [ 820.835233] binder: BINDER_SET_CONTEXT_MGR already set 07:49:25 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 820.864840] could not allocate digest TFM handle sha1-generic- [ 820.871857] binder: 13414:13428 got transaction to invalid handle [ 820.878239] binder: 13414:13428 transaction failed 29201/-22, size 0-0 line 2855 [ 820.880392] binder: 13415:13422 ioctl 40046207 0 returned -16 [ 820.886664] binder: release 13415:13429 transaction 9515 out, still active [ 820.898917] binder: unexpected work type, 4, not freed [ 820.904253] binder: undelivered TRANSACTION_COMPLETE 07:49:25 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x9, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:26 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696375cad30f0493530100"}}) [ 820.995371] binder_alloc: binder_alloc_mmap_handler: 13414 20001000-20004000 already mapped failed -16 [ 821.017494] binder: BINDER_SET_CONTEXT_MGR already set [ 821.032039] binder: 13414:13423 ioctl 40046207 0 returned -16 [ 821.066952] binder: 13414:13439 got transaction to invalid handle [ 821.073351] binder: 13414:13439 transaction failed 29201/-22, size 0-0 line 2855 [ 821.111261] binder: 13415:13429 got transaction to invalid handle [ 821.117660] binder: 13415:13429 transaction failed 29201/-22, size 0-504403158265495552 line 2855 [ 821.129940] binder: release 13414:13423 transaction 9515 in, still active [ 821.137021] binder: send failed reply for transaction 9515, target dead [ 821.143854] binder: undelivered TRANSACTION_ERROR: 29201 [ 821.247552] binder: undelivered TRANSACTION_ERROR: 29201 [ 821.438024] could not allocate digest TFM handle sha1-genericuS 07:49:26 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x300000000000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:26 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0xc, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:26 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269632f1275f434d3008500"}}) 07:49:26 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:26 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:26 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c00000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 821.659751] binder: undelivered TRANSACTION_ERROR: 29201 [ 821.800138] binder: 13466:13480 got transaction to invalid handle [ 821.806566] binder: 13466:13480 transaction failed 29201/-22, size 0-0 line 2855 07:49:26 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x501, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:26 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 821.845597] binder: BINDER_SET_CONTEXT_MGR already set [ 821.872535] could not allocate digest TFM handle sha1-generic/u4 [ 821.879954] binder: 13481:13484 ioctl 40046207 0 returned -16 [ 821.894383] binder: release 13481:13485 transaction 9522 out, still active [ 821.901921] binder: unexpected work type, 4, not freed [ 821.907293] binder: undelivered TRANSACTION_COMPLETE [ 821.908962] binder_alloc: binder_alloc_mmap_handler: 13466 20001000-20004000 already mapped failed -16 07:49:27 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963715b094da3465400"}}) [ 822.028096] binder: 13481:13485 got transaction to invalid handle [ 822.034635] binder: 13481:13485 transaction failed 29201/-22, size 0-5476377146882523136 line 2855 [ 822.059719] binder: 13466:13470 got transaction to invalid handle [ 822.099832] binder: BINDER_SET_CONTEXT_MGR already set 07:49:27 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 822.133727] binder: undelivered TRANSACTION_ERROR: 29201 [ 822.141834] binder: 13466:13493 ioctl 40046207 0 returned -16 07:49:27 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x7, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 822.182029] binder: release 13466:13470 transaction 9522 in, still active [ 822.189262] binder: send failed reply for transaction 9522, target dead [ 822.324472] could not allocate digest TFM handle sha1-genericq[ MFT 07:49:28 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696364a59d11e8484600"}}) 07:49:28 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a0e000000000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:28 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:28 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:28 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x40000, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:28 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:28 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) getsockopt$IP_VS_SO_GET_SERVICES(r0, 0x0, 0x482, &(0x7f0000000140)=""/20, &(0x7f0000000100)=0xfffffffffffffef5) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x3, 0x0) ioctl$TCSBRK(r1, 0x5409, 0x9) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) r2 = socket(0x9, 0x6, 0xfff) ioctl$SG_GET_SG_TABLESIZE(r2, 0x227f, &(0x7f0000000080)) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) [ 823.940677] binder: release 13526:13531 transaction 9528 out, still active [ 823.944283] binder: BINDER_SET_CONTEXT_MGR already set [ 823.947909] binder: unexpected work type, 4, not freed [ 823.958275] binder: 13527:13534 ioctl 40046207 0 returned -16 [ 823.958589] binder: undelivered TRANSACTION_COMPLETE 07:49:29 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 824.021978] binder: 13527:13546 got transaction to invalid handle [ 824.028476] binder_transaction: 1 callbacks suppressed [ 824.028492] binder: 13527:13546 transaction failed 29201/-22, size 0-0 line 2855 [ 824.063348] binder_alloc: 13526: binder_alloc_buf, no vma [ 824.069052] binder: 13526:13547 transaction failed 29189/-3, size 0-7 line 2970 [ 824.089011] could not allocate digest TFM handle sha1-genericdHF [ 824.106641] binder_alloc: binder_alloc_mmap_handler: 13526 20001000-20004000 already mapped failed -16 [ 824.145460] binder: BINDER_SET_CONTEXT_MGR already set [ 824.157049] binder_alloc: 13526: binder_alloc_buf, no vma [ 824.162765] binder: 13526:13537 transaction failed 29189/-3, size 24-8 line 2970 [ 824.196658] binder: 13526:13531 ioctl 40046207 0 returned -16 [ 824.212921] binder_release_work: 2 callbacks suppressed [ 824.212927] binder: undelivered TRANSACTION_ERROR: 29189 [ 824.225064] binder: release 13526:13547 transaction 9528 in, still active [ 824.232340] binder: send failed reply for transaction 9528, target dead [ 824.239197] binder: undelivered TRANSACTION_ERROR: 29189 07:49:29 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:29 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:29 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0xd, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:29 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963d1f1bf90bd059400"}}) 07:49:29 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x740e000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:29 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 824.466640] binder: release 13566:13574 transaction 9535 out, still active [ 824.473869] binder: unexpected work type, 4, not freed [ 824.479241] binder: undelivered TRANSACTION_COMPLETE 07:49:29 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x10, 0x0, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 824.513940] binder_alloc: 13566: binder_alloc_buf, no vma [ 824.519692] binder: 13566:13579 transaction failed 29189/-3, size 0-8362621558073589760 line 2970 [ 824.555911] could not allocate digest TFM handle sha1-generic񿐽 07:49:29 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630af2e666cc40a600"}}) 07:49:29 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1200000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 824.664449] binder: release 13566:13579 transaction 9535 in, still active [ 824.671646] binder: send failed reply for transaction 9535, target dead [ 824.678540] binder: undelivered TRANSACTION_ERROR: 29189 [ 824.725502] binder_alloc: binder_alloc_mmap_handler: 13527 20001000-20004000 already mapped failed -16 [ 824.762032] binder: 13527:13586 got transaction to invalid handle [ 824.768433] binder: 13527:13586 transaction failed 29201/-22, size 0-0 line 2855 [ 824.825078] binder: undelivered TRANSACTION_ERROR: 29201 [ 824.834777] binder: undelivered TRANSACTION_ERROR: 29201 07:49:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6800000000000000, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:29 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 824.996045] binder: release 13597:13601 transaction 9542 out, still active [ 825.003274] binder: unexpected work type, 4, not freed [ 825.008617] binder: undelivered TRANSACTION_COMPLETE 07:49:30 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xe803000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 825.156365] binder: BINDER_SET_CONTEXT_MGR already set [ 825.174795] binder: 13607:13609 ioctl 40046207 0 returned -16 [ 825.178938] binder_alloc: 13597: binder_alloc_buf, no vma [ 825.186458] binder: 13597:13601 transaction failed 29189/-3, size 0-1297036692682702848 line 2970 07:49:30 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x0, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:30 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 825.216151] could not allocate digest TFM handle sha1-generic [ 825.216151] f@ [ 825.239238] binder: 13607:13613 got transaction to invalid handle [ 825.245644] binder: 13607:13613 transaction failed 29201/-22, size 0-0 line 2855 [ 825.339702] binder: release 13597:13601 transaction 9542 in, still active [ 825.346796] binder: send failed reply for transaction 9542, target dead [ 825.353620] binder: undelivered TRANSACTION_ERROR: 29189 [ 825.939783] binder_alloc: binder_alloc_mmap_handler: 13607 20001000-20004000 already mapped failed -16 [ 825.965636] binder: 13607:13630 got transaction to invalid handle [ 825.972029] binder: 13607:13630 transaction failed 29201/-22, size 0-0 line 2855 [ 825.980534] binder: undelivered TRANSACTION_ERROR: 29201 [ 825.988584] binder: undelivered TRANSACTION_ERROR: 29201 07:49:32 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x91ffffff, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:32 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={'sha1-generic\x00\x00\x00\v\x00'}}) 07:49:32 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:32 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:32 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x0, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:32 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) syz_open_dev$evdev(&(0x7f0000000080)='/dev/input/event#\x00', 0x8001, 0xc0040) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r0, &(0x7f00000000c0)=""/11, 0xeb) 07:49:32 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno'}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 827.197431] binder: release 13646:13653 transaction 9550 out, still active [ 827.200327] binder: BINDER_SET_CONTEXT_MGR already set [ 827.204579] binder: unexpected work type, 4, not freed [ 827.204589] binder: undelivered TRANSACTION_COMPLETE [ 827.233313] binder_alloc: 13646: binder_alloc_buf, no vma [ 827.234374] binder: 13644:13655 ioctl 40046207 0 returned -16 07:49:32 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x0, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 827.239030] binder: 13646:13653 transaction failed 29189/-3, size 0-8192 line 2970 07:49:32 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 827.308408] binder: release 13646:13653 transaction 9550 in, still active [ 827.315505] binder: send failed reply for transaction 9550, target dead [ 827.322376] binder: undelivered TRANSACTION_ERROR: 29189 07:49:32 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x7000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:32 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630010d548d513b67e00"}}) 07:49:32 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 827.428380] binder: 13644:13661 got transaction to invalid handle [ 827.434794] binder: 13644:13661 transaction failed 29201/-22, size 0-0 line 2855 [ 827.635834] binder: release 13672:13677 transaction 9556 out, still active [ 827.643088] binder: unexpected work type, 4, not freed [ 827.648503] binder: undelivered TRANSACTION_COMPLETE 07:49:32 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 827.754805] binder_alloc: 13672: binder_alloc_buf, no vma [ 827.783633] binder_alloc: binder_alloc_mmap_handler: 13672 20001000-20004000 already mapped failed -16 [ 827.822094] binder: BINDER_SET_CONTEXT_MGR already set 07:49:32 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xe000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 827.860795] binder: 13672:13677 ioctl 40046207 0 returned -16 [ 827.892092] binder_alloc: 13672: binder_alloc_buf, no vma 07:49:33 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696304d23687ee37370700"}}) [ 827.969269] binder: release 13672:13677 transaction 9556 in, still active [ 827.976327] binder: send failed reply for transaction 9556, target dead [ 827.983196] binder: undelivered TRANSACTION_ERROR: 29189 [ 827.994402] binder_alloc: binder_alloc_mmap_handler: 13644 20001000-20004000 already mapped failed -16 [ 828.014070] binder: 13644:13699 got transaction to invalid handle 07:49:33 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:33 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:33 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe7a, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 828.279232] binder: release 13710:13715 transaction 9564 out, still active [ 828.286480] binder: unexpected work type, 4, not freed [ 828.291824] binder: undelivered TRANSACTION_COMPLETE 07:49:33 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x1802, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 828.324708] could not allocate digest TFM handle sha1-generic677 [ 828.356572] binder_alloc: 13710: binder_alloc_buf, no vma 07:49:33 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696349241dd96426c400"}}) 07:49:33 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 828.475939] binder: BINDER_SET_CONTEXT_MGR already set [ 828.499746] binder: 13721:13723 ioctl 40046207 0 returned -16 [ 828.529932] binder: release 13710:13715 transaction 9564 in, still active [ 828.536966] binder: send failed reply for transaction 9564, target dead [ 828.594104] binder: 13721:13726 got transaction to invalid handle [ 828.867080] could not allocate digest TFM handle sha1-genericI$d& [ 829.273203] binder_alloc: binder_alloc_mmap_handler: 13721 20001000-20004000 already mapped failed -16 [ 829.292217] binder: 13721:13744 got transaction to invalid handle [ 829.298528] binder_transaction: 5 callbacks suppressed [ 829.298545] binder: 13721:13744 transaction failed 29201/-22, size 3706-0 line 2855 [ 829.343218] binder_release_work: 4 callbacks suppressed [ 829.343224] binder: undelivered TRANSACTION_ERROR: 29201 [ 829.361630] binder: undelivered TRANSACTION_ERROR: 29201 [ 829.806087] 9pnet: Insufficient options for proto=fd 07:49:35 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x2000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:35 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:49:35 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:35 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:35 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269636377839027957600"}}) 07:49:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x68, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:35 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno'}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:35 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r0, &(0x7f00000000c0)=""/11, 0xb) [ 830.407215] binder: release 13756:13759 transaction 9572 out, still active [ 830.407777] binder: BINDER_SET_CONTEXT_MGR already set [ 830.414335] binder: unexpected work type, 4, not freed [ 830.414343] binder: undelivered TRANSACTION_COMPLETE [ 830.427284] binder_alloc: 13756: binder_alloc_buf, no vma [ 830.435869] binder: 13756:13759 transaction failed 29189/-3, size 0-2305843009213693952 line 2970 [ 830.442539] binder: 13750:13764 ioctl 40046207 0 returned -16 07:49:35 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) [ 830.472757] binder: 13750:13768 got transaction to invalid handle [ 830.479357] binder: 13750:13768 transaction failed 29201/-22, size 104-0 line 2855 07:49:35 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x4, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 830.582733] could not allocate digest TFM handle sha1-genericcw'v [ 830.662575] binder_alloc: binder_alloc_mmap_handler: 13750 20001000-20004000 already mapped failed -16 07:49:35 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) [ 830.739281] binder: BINDER_SET_CONTEXT_MGR already set [ 830.779029] binder: release 13756:13759 transaction 9572 in, still active 07:49:35 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfdfdffff, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:35 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963e87ee626c26b588400"}}) [ 830.786242] binder: send failed reply for transaction 9572, target dead [ 830.793060] binder: undelivered TRANSACTION_ERROR: 29189 [ 830.820067] binder: 13750:13781 got transaction to invalid handle [ 830.826497] binder: 13750:13781 transaction failed 29201/-22, size 104-0 line 2855 [ 830.984027] binder: release 13788:13791 transaction 9579 out, still active [ 830.991252] binder: unexpected work type, 4, not freed [ 830.996610] binder: undelivered TRANSACTION_COMPLETE [ 831.013846] binder: undelivered TRANSACTION_ERROR: 29201 [ 831.025291] binder: 13750:13764 ioctl 40046207 0 returned -16 07:49:36 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xfffffffe, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 831.055920] binder: undelivered TRANSACTION_ERROR: 29201 07:49:36 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a00000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:36 executing program 2: clone(0x20002100, 0x0, 0xfffffffffffffffe, &(0x7f0000000100), 0xffffffffffffffff) r0 = getpid() openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0, 0x0) ioctl$KVM_DIRTY_TLB(0xffffffffffffffff, 0x4010aeaa, &(0x7f0000000140)={0x3}) ptrace$setregset(0x4205, r0, 0x201, &(0x7f0000000080)) sched_setscheduler(r0, 0x5, &(0x7f0000000040)) mremap(&(0x7f0000001000/0xc00000)=nil, 0xc00000, 0x7ffffffff000, 0x0, &(0x7f0000c87000/0x2000)=nil) [ 831.154330] could not allocate digest TFM handle sha1-generic~&kX [ 831.167990] binder_alloc: 13788: binder_alloc_buf, no vma [ 831.173857] binder: 13788:13791 transaction failed 29189/-3, size 0-4261281791 line 2970 07:49:36 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6800, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:36 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630030d9f91648995d00"}}) [ 831.299145] binder: release 13788:13791 transaction 9579 in, still active [ 831.306325] binder: send failed reply for transaction 9579, target dead [ 831.313180] binder: undelivered TRANSACTION_ERROR: 29189 07:49:36 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x6, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:36 executing program 2: [ 831.614701] binder: BINDER_SET_CONTEXT_MGR already set [ 831.624698] binder: 13813:13818 ioctl 40046207 0 returned -16 [ 831.653860] binder: 13812:13825 got transaction to invalid handle [ 831.660284] binder: 13812:13825 transaction failed 29201/-22, size 8791026472627208192-0 line 2855 [ 831.688734] binder: unexpected work type, 4, not freed [ 831.694128] binder: undelivered TRANSACTION_COMPLETE 07:49:36 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x1800000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 831.754288] binder_alloc: binder_alloc_mmap_handler: 13812 20001000-20004000 already mapped failed -16 [ 831.792559] binder: BINDER_SET_CONTEXT_MGR already set [ 831.824357] binder: 13813:13827 got transaction to invalid handle [ 831.825430] binder: 13812:13819 ioctl 40046207 0 returned -16 [ 831.830702] binder: 13813:13827 transaction failed 29201/-22, size 0-26624 line 2855 [ 831.945958] binder: 13812:13831 got transaction to invalid handle [ 831.952323] binder: 13812:13831 transaction failed 29201/-22, size 8791026472627208192-0 line 2855 [ 831.974284] binder: send failed reply for transaction 9585, target dead [ 831.981211] binder: undelivered TRANSACTION_ERROR: 29201 [ 832.066764] binder: undelivered TRANSACTION_ERROR: 29201 [ 832.442630] binder: undelivered TRANSACTION_ERROR: 29201 [ 832.942471] 9pnet: Insufficient options for proto=fd 07:49:38 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno'}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:39 executing program 2: 07:49:39 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:39 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x400000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:39 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={'sha1-genericM&9\x00'}}) 07:49:39 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:39 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) setsockopt$l2tp_PPPOL2TP_SO_REORDERTO(r0, 0x111, 0x5, 0xffffffffffff8001, 0x4) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) [ 834.093949] binder_thread_release: 2 callbacks suppressed [ 834.093961] binder: release 13855:13860 transaction 9591 out, still active [ 834.096765] binder: BINDER_SET_CONTEXT_MGR already set [ 834.099632] binder: unexpected work type, 4, not freed [ 834.099641] binder: undelivered TRANSACTION_COMPLETE [ 834.114081] binder_alloc: 13855: binder_alloc_buf, no vma [ 834.128411] binder: 13855:13860 transaction failed 29189/-3, size 0-2 line 2970 07:49:39 executing program 2: [ 834.275480] could not allocate digest TFM handle sha1-genericM&9 07:49:39 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x3c000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:39 executing program 2: [ 834.323837] binder: 13857:13874 got transaction to invalid handle [ 834.330378] binder: 13857:13874 transaction failed 29201/-22, size 100663296-0 line 2855 [ 834.342558] binder: 13857:13863 ioctl 40046207 0 returned -16 07:49:39 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7400000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:39 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269632e992f687bc87000"}}) [ 834.425450] binder: release 13855:13860 transaction 9591 in, still active [ 834.432651] binder: send failed reply for transaction 9591, target dead [ 834.439483] binder: undelivered TRANSACTION_ERROR: 29189 [ 834.500009] binder_alloc: binder_alloc_mmap_handler: 13857 20001000-20004000 already mapped failed -16 [ 834.555960] binder: 13857:13874 got transaction to invalid handle [ 834.562459] binder: 13857:13874 transaction failed 29201/-22, size 100663296-0 line 2855 [ 834.573049] binder: undelivered TRANSACTION_ERROR: 29201 [ 834.621286] binder: undelivered TRANSACTION_ERROR: 29201 07:49:39 executing program 2: r0 = socket$kcm(0x2, 0x5, 0x0) perf_event_open(&(0x7f0000000180)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1ff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) setsockopt$sock_attach_bpf(r0, 0x84, 0x7c, &(0x7f0000000580), 0x2c6) [ 834.719143] binder: release 13884:13887 transaction 9599 out, still active [ 834.726411] binder: unexpected work type, 4, not freed [ 834.731765] binder: undelivered TRANSACTION_COMPLETE 07:49:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6800, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:39 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 834.856074] binder_alloc: 13884: binder_alloc_buf, no vma [ 834.861854] binder: 13884:13887 transaction failed 29189/-3, size 0-8358680908399640576 line 2970 [ 834.903104] could not allocate digest TFM handle sha1-generic./h{p [ 835.027140] binder: BINDER_SET_CONTEXT_MGR already set [ 835.052408] binder: undelivered TRANSACTION_ERROR: 29189 [ 835.058042] binder: release 13884:13891 transaction 9599 in, still active [ 835.058564] binder: 13899:13901 ioctl 40046207 0 returned -16 [ 835.065026] binder: send failed reply for transaction 9599, target dead [ 835.165819] binder: 13899:13905 got transaction to invalid handle [ 835.172193] binder: 13899:13905 transaction failed 29201/-22, size 26624-0 line 2855 [ 835.259335] binder_alloc: binder_alloc_mmap_handler: 13899 20001000-20004000 already mapped failed -16 [ 835.287114] binder: 13899:13905 got transaction to invalid handle [ 835.293480] binder: 13899:13905 transaction failed 29201/-22, size 26624-0 line 2855 [ 835.336520] binder: undelivered TRANSACTION_ERROR: 29201 [ 835.349207] binder: undelivered TRANSACTION_ERROR: 29201 [ 835.607992] 9pnet: Insufficient options for proto=fd 07:49:40 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:40 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xe, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:40 executing program 2: r0 = socket(0x1e, 0x1, 0x0) sendmsg(r0, &(0x7f00003bbfc8)={&(0x7f0000004b00)=@generic={0x10000000001e, "02ff0100000001000000000000000ae77f5bf86c48020002000000f1ffffff009a480075e6a50000de010300000000e4ff064b3f013a000000080000008f00000000ac50d5fe32c4000000007fffffff6a008356edb9a6341c1fd45624281e00070ecddd0206c39750c40000fd00000900000000000b0000db000004da36"}, 0x80, &(0x7f0000003840), 0x0, &(0x7f000012e000)}, 0x0) fcntl$setstatus(0xffffffffffffffff, 0x4, 0x0) mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x7, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0) r2 = syz_open_dev$adsp(&(0x7f0000000440)='/dev/adsp#\x00', 0x9, 0x220002) write$P9_RSETATTR(r2, &(0x7f0000000540)={0x7, 0x1b, 0x2}, 0x7) r3 = syz_open_procfs(0x0, &(0x7f0000000400)='net/ip_vs\x00') ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r4 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_SMI(r3, 0xaeb7) mmap(&(0x7f0000e73000/0x2000)=nil, 0x2000, 0x0, 0x10, r4, 0x0) remap_file_pages(&(0x7f00002ec000/0x200000)=nil, 0x200000, 0x0, 0x0, 0x0) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x880, 0x0) r6 = ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r6, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r7, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000500)=[@text64={0x40, &(0x7f0000000480)="660f38816b0066baf80cb8509b4186ef66bafc0cb87a5b0000ef400f09440f20c0350d000000440f22c0b991000040b8e4dd0000ba000000000f30b9800000c00f3235002000000f3066450f083ef2650f01c90f01d1c7442400d3000000c7442402e4000000c7442406000000000f011424", 0x72}], 0x1, 0x0, &(0x7f0000000200), 0x0) ioctl$KVM_REGISTER_COALESCED_MMIO(r6, 0x4010ae67, &(0x7f0000000080)={0x0, 0x10000}) ioctl$KVM_RUN(r7, 0xae80, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00027, 0x0, &(0x7f00000000c0), 0x0, 0x2000000000002) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000380)={&(0x7f0000000340)='/dev/audio\x00'}, 0x10) socket$bt_bnep(0x1f, 0x3, 0x4) 07:49:40 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:40 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:40 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630008fea1e3ae38ef00"}}) 07:49:40 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 835.714262] binder: release 13911:13915 transaction 9607 out, still active [ 835.721827] binder: unexpected work type, 4, not freed [ 835.727184] binder: undelivered TRANSACTION_COMPLETE [ 835.735893] binder_alloc: 13911: binder_alloc_buf, no vma [ 835.741565] binder: 13911:13915 transaction failed 29189/-3, size 0-1946157056 line 2970 [ 835.784636] binder: BINDER_SET_CONTEXT_MGR already set [ 835.792323] binder: release 13911:13915 transaction 9607 in, still active [ 835.799440] binder: send failed reply for transaction 9607, target dead [ 835.806303] binder: undelivered TRANSACTION_ERROR: 29189 [ 835.813600] binder: 13917:13922 ioctl 40046207 0 returned -16 [ 835.867878] binder: 13917:13926 got transaction to invalid handle [ 835.874392] binder: 13917:13926 transaction failed 29201/-22, size 24576-0 line 2855 [ 836.577718] binder_alloc: binder_alloc_mmap_handler: 13917 20001000-20004000 already mapped failed -16 [ 836.588215] binder: 13917:13938 got transaction to invalid handle [ 836.594559] binder: 13917:13938 transaction failed 29201/-22, size 24576-0 line 2855 [ 836.604430] binder: undelivered TRANSACTION_ERROR: 29201 [ 836.612443] binder: undelivered TRANSACTION_ERROR: 29201 07:49:42 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963006696f09520156100"}}) 07:49:42 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x34f30300, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:42 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xffffff91, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:42 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:42 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:42 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:42 executing program 2: r0 = socket$inet_tcp(0x2, 0x1, 0x0) bind$inet(r0, &(0x7f0000e5b000)={0x2, 0x0, @remote}, 0xfffffffffffffe6b) 07:49:42 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000200)="2f70726f632f7379732f6e657400000000000000072f6578706972655f6e6f646553745f636f6e6e00210b6c12defabad2b644b24020b673ceda34f7b34667180f9270697ce0b53cfffecf1f80f8fffeabf7942754254d82003f6e2cf669c106281089176f1249f2591bf4983519b35eecce64fdd505", 0x2, 0x0) ioctl$SNDRV_TIMER_IOCTL_START(r0, 0x54a0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) write$FUSE_POLL(r0, &(0x7f0000000080)={0x18, 0x0, 0x8, {0xffffffffffff2f6d}}, 0x18) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) [ 837.407647] binder: release 13944:13950 transaction 9615 out, still active [ 837.413472] binder: BINDER_SET_CONTEXT_MGR already set [ 837.414800] binder: unexpected work type, 4, not freed [ 837.421578] binder: 13947:13951 ioctl 40046207 0 returned -16 [ 837.425394] binder: undelivered TRANSACTION_COMPLETE [ 837.439650] binder_alloc: 13944: binder_alloc_buf, no vma [ 837.445374] binder: 13944:13950 transaction failed 29189/-3, size 0-888341248 line 2970 07:49:42 executing program 2: pipe(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) write(r1, &(0x7f00000001c0), 0xffffffea) r2 = epoll_create(0xe29f) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ppoll(&(0x7f0000000140)=[{r2}, {r0}], 0x2, &(0x7f0000000180)={0x77359400}, &(0x7f0000000040), 0x8) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f00000000c0)) vmsplice(r0, &(0x7f0000000000)=[{&(0x7f0000000500), 0x3528a9c0}], 0x1, 0x0) close(r1) 07:49:42 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffff7f, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:42 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x218, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 837.498976] binder: 13947:13960 got transaction to invalid handle [ 837.505385] binder: 13947:13960 transaction failed 29201/-22, size 3-0 line 2855 [ 837.526146] binder: release 13944:13950 transaction 9615 in, still active [ 837.533263] binder: send failed reply for transaction 9615, target dead [ 837.540128] binder: undelivered TRANSACTION_ERROR: 29189 [ 837.731122] binder: release 13969:13972 transaction 9621 out, still active [ 837.738412] binder: unexpected work type, 4, not freed [ 837.743771] binder: undelivered TRANSACTION_COMPLETE 07:49:42 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x2751983000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:42 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 837.833392] binder_alloc: 13969: binder_alloc_buf, no vma 07:49:42 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x750e, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 837.936352] binder: release 13969:13972 transaction 9621 in, still active [ 837.943444] binder: send failed reply for transaction 9621, target dead 07:49:43 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630074faa903a3b94b00"}}) [ 838.045055] binder: unexpected work type, 4, not freed [ 838.050471] binder: undelivered TRANSACTION_COMPLETE 07:49:43 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 838.092106] binder_alloc: 13988: binder_alloc_buf, no vma 07:49:43 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x700000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 838.210058] binder_alloc: binder_alloc_mmap_handler: 13947 20001000-20004000 already mapped failed -16 07:49:43 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4800, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 838.251001] binder: send failed reply for transaction 9626, target dead [ 838.276960] binder: 13947:13998 got transaction to invalid handle 07:49:43 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963003ece04eb9baf7800"}}) 07:49:43 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x88f40300, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:43 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x2000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 838.403600] binder: unexpected work type, 4, not freed [ 838.409009] binder: undelivered TRANSACTION_COMPLETE [ 838.461912] binder_alloc: 14010: binder_alloc_buf, no vma [ 838.559378] binder: BINDER_SET_CONTEXT_MGR already set 07:49:43 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:43 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 838.596937] binder: send failed reply for transaction 9633, target dead [ 838.597272] binder: 14020:14021 ioctl 40046207 0 returned -16 [ 838.726627] binder: unexpected work type, 4, not freed [ 838.732046] binder: undelivered TRANSACTION_COMPLETE [ 838.741105] binder: 14020:14030 got transaction to invalid handle [ 838.785631] binder_alloc: 14031: binder_alloc_buf, no vma [ 838.881055] binder: send failed reply for transaction 9638, target dead [ 839.349479] binder_alloc: binder_alloc_mmap_handler: 14020 20001000-20004000 already mapped failed -16 [ 839.359965] binder: 14020:14043 got transaction to invalid handle [ 839.366281] binder_transaction: 6 callbacks suppressed [ 839.366297] binder: 14020:14043 transaction failed 29201/-22, size 2297692928-0 line 2855 07:49:45 executing program 2: clone(0x2102001ffc, 0x0, 0xfffffffffffffffe, &(0x7f0000000640), 0xffffffffffffffff) r0 = getpid() sched_setscheduler(r0, 0x5, &(0x7f0000000200)) r1 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r1, 0x8914, &(0x7f0000000140)={"6c6f3a8ca23a2330cc3000"}) 07:49:45 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000080)='/dev/mixer\x00', 0x400, 0x0) connect$pppoe(r0, &(0x7f0000000100)={0x18, 0x0, {0x4, @local, 'ipddp0\x00'}}, 0x1e) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) 07:49:45 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x900000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:45 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:45 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:45 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x300000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:45 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4800, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:45 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300cc8fdfcbfa862c00"}}) 07:49:45 executing program 2: r0 = socket(0x1e, 0x1, 0x0) sendmsg(r0, &(0x7f00003bbfc8)={&(0x7f0000004b00)=@generic={0x10000000001e, "02ff0100000001000000000000000ae77f5bf86c48020002000000f1ffffff009a480075e6a50000de010300000000e4ff064b3f013a000000080000008f00000000ac50d5fe32c4000000007fffffff6a008356edb9a6341c1fd45624281e00070ecddd0206c39750c40000fd00000900000000000b0000db000004da36"}, 0x80, &(0x7f0000003840), 0x0, &(0x7f000012e000)}, 0x0) fcntl$setstatus(0xffffffffffffffff, 0x4, 0x0) mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x7, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000540)={0x7, 0x1b, 0x2}, 0x7) r2 = syz_open_procfs(0x0, &(0x7f0000000400)='net/ip_vs\x00') ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_SMI(r2, 0xaeb7) mmap(&(0x7f0000e73000/0x2000)=nil, 0x2000, 0x0, 0x10, r3, 0x0) remap_file_pages(&(0x7f00002ec000/0x200000)=nil, 0x200000, 0x0, 0x0, 0x0) r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x880, 0x0) r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r5, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r6, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000500)=[@text64={0x40, &(0x7f0000000480)="660f38816b0066baf80cb8509b4186ef66bafc0cb87a5b0000ef400f09440f20c0350d000000440f22c0b991000040b8e4dd0000ba000000000f30b9800000c00f3235002000000f3066450f083ef2650f01c90f01d1c7442400d3000000c7442402e4000000c7442406000000000f011424", 0x72}], 0x1, 0x0, &(0x7f0000000200), 0x0) ioctl$KVM_REGISTER_COALESCED_MMIO(r5, 0x4010ae67, &(0x7f0000000080)={0x0, 0x10000}) ioctl$KVM_RUN(r6, 0xae80, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00027, 0x0, &(0x7f00000000c0), 0x0, 0x2000000000002) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000380)={&(0x7f0000000340)='/dev/audio\x00'}, 0x10) socket$bt_bnep(0x1f, 0x3, 0x4) [ 840.167620] binder_thread_release: 6 callbacks suppressed [ 840.167641] binder: release 14048:14056 transaction 9646 out, still active [ 840.180481] binder: unexpected work type, 4, not freed [ 840.185814] binder: undelivered TRANSACTION_COMPLETE [ 840.200020] binder: BINDER_SET_CONTEXT_MGR already set [ 840.206844] binder_alloc: 14048: binder_alloc_buf, no vma [ 840.212576] binder: 14048:14056 transaction failed 29189/-3, size 0-216172782113783808 line 2970 [ 840.233293] binder: 14050:14061 ioctl 40046207 0 returned -16 07:49:45 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x2000000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:45 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963000000000000bc2800"}}) 07:49:45 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 840.317637] binder: release 14048:14056 transaction 9646 in, still active [ 840.324777] binder: send failed reply for transaction 9646, target dead [ 840.331615] binder_release_work: 8 callbacks suppressed [ 840.331627] binder: undelivered TRANSACTION_ERROR: 29189 [ 840.353479] binder: 14050:14066 got transaction to invalid handle [ 840.359833] binder: 14050:14066 transaction failed 29201/-22, size 18432-0 line 2855 [ 840.485535] binder: release 14082:14083 transaction 9652 out, still active [ 840.492732] binder: unexpected work type, 4, not freed [ 840.498122] binder: undelivered TRANSACTION_COMPLETE [ 840.565028] binder_alloc: 14082: binder_alloc_buf, no vma [ 840.570761] binder: 14082:14087 transaction failed 29189/-3, size 0-50331648 line 2970 07:49:45 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x5000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:45 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300aed2d9ec5ee1ee00"}}) 07:49:45 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:45 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x740e0000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 840.666530] binder: release 14082:14087 transaction 9652 in, still active [ 840.673595] binder: send failed reply for transaction 9652, target dead [ 840.680420] binder: undelivered TRANSACTION_ERROR: 29189 07:49:45 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 840.821871] binder: release 14096:14097 transaction 9657 out, still active [ 840.829059] binder: unexpected work type, 4, not freed [ 840.834441] binder: undelivered TRANSACTION_COMPLETE [ 840.870750] binder_alloc: 14096: binder_alloc_buf, no vma [ 840.876921] binder: 14096:14102 transaction failed 29189/-3, size 0-1947074560 line 2970 [ 840.968988] binder_alloc: binder_alloc_mmap_handler: 14050 20001000-20004000 already mapped failed -16 [ 840.999035] binder: BINDER_SET_CONTEXT_MGR already set 07:49:46 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x20000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 841.019679] binder: 14050:14066 ioctl 40046207 0 returned -16 [ 841.079275] binder: 14050:14110 got transaction to invalid handle [ 841.085658] binder: 14050:14110 transaction failed 29201/-22, size 18432-0 line 2855 [ 841.150244] binder: undelivered TRANSACTION_ERROR: 29201 [ 841.173074] binder: release 14096:14102 transaction 9657 in, still active [ 841.180189] binder: send failed reply for transaction 9657, target dead [ 841.187025] binder: undelivered TRANSACTION_ERROR: 29189 [ 841.246595] binder: undelivered TRANSACTION_ERROR: 29201 07:49:47 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:47 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:47 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x300, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:47 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:47 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300b05185cdedc2ce00"}}) 07:49:47 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xff0f0000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:47 executing program 2: r0 = socket(0x1e, 0x1, 0x0) sendmsg(r0, &(0x7f00003bbfc8)={&(0x7f0000004b00)=@generic={0x10000000001e, "02ff0100000001000000000000000ae77f5bf86c48020002000000f1ffffff009a480075e6a50000de010300000000e4ff064b3f013a000000080000008f00000000ac50d5fe32c4000000007fffffff6a008356edb9a6341c1fd45624281e00070ecddd0206c39750c40000fd00000900000000000b0000db000004da36"}, 0x80, &(0x7f0000003840), 0x0, &(0x7f000012e000)}, 0x0) fcntl$setstatus(0xffffffffffffffff, 0x4, 0x0) mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x7, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000540)={0x7, 0x1b, 0x2}, 0x7) r2 = syz_open_procfs(0x0, &(0x7f0000000400)='net/ip_vs\x00') ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_SMI(r2, 0xaeb7) mmap(&(0x7f0000e73000/0x2000)=nil, 0x2000, 0x0, 0x10, r3, 0x0) remap_file_pages(&(0x7f00002ec000/0x200000)=nil, 0x200000, 0x0, 0x0, 0x0) r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x880, 0x0) r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r5, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r6, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000500)=[@text64={0x40, &(0x7f0000000480)="660f38816b0066baf80cb8509b4186ef66bafc0cb87a5b0000ef400f09440f20c0350d000000440f22c0b991000040b8e4dd0000ba000000000f30b9800000c00f3235002000000f3066450f083ef2650f01c90f01d1c7442400d3000000c7442402e4000000c7442406000000000f011424", 0x72}], 0x1, 0x0, &(0x7f0000000200), 0x0) ioctl$KVM_REGISTER_COALESCED_MMIO(r5, 0x4010ae67, &(0x7f0000000080)={0x0, 0x10000}) ioctl$KVM_RUN(r6, 0xae80, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00027, 0x0, &(0x7f00000000c0), 0x0, 0x2000000000002) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000380)={&(0x7f0000000340)='/dev/audio\x00'}, 0x10) socket$bt_bnep(0x1f, 0x3, 0x4) 07:49:47 executing program 5: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000140)="2f70726f632f7379732f6f65742f007076342f76732f6c626c635f65fdb3141cd18a77e5bc003bdf61ba16000000000000000000000000000000003229c5d38377af5af11a7393857682b830a75ba194db9c29bc06afa11ee1f35dd2576742cc2b145a4af8d2d39da1841617c4727ed98ed791fcee89868871e566225e8ba6af2a395e2e6e91d93b8569a106f1a89fd88fe87d6642d563d0603d9a94022ea49c791e8cb75560151d27ac93c86d3ad1229fbd9b565d42205d2d50dcc0a820562792f04be626faddda2aed0c256b350fa1d70f6844b8b9f4c2dc6090855d301e5389687545b7a7116fa235d4afb55ca7bc2a18f6847dfc9d5d2cc7abe7cf78e4112ce458cdf7c64a14f7fa96e34a0804f920701b35b57b5b1c40532083ed9b960d7ca2c55eb5bcfa91bcce44bd37a68543a20798e0672eca", 0x2, 0x0) remap_file_pages(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x1000000, 0x8, 0x2) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) ioctl$VT_ACTIVATE(r0, 0x5606, 0x200) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(r1, 0x40044581, &(0x7f0000000100)=0x350) gettid() [ 842.711451] binder: release 14135:14139 transaction 9663 out, still active [ 842.714055] binder: BINDER_SET_CONTEXT_MGR already set [ 842.718659] binder: unexpected work type, 4, not freed [ 842.729350] binder: undelivered TRANSACTION_COMPLETE [ 842.732241] binder: 14134:14141 ioctl 40046207 0 returned -16 07:49:47 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x3e8, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 842.807972] binder_alloc: 14135: binder_alloc_buf, no vma [ 842.813676] binder: 14135:14139 transaction failed 29189/-3, size 0-768 line 2970 07:49:47 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 842.854148] binder: 14134:14147 got transaction to invalid handle [ 842.860615] binder: 14134:14147 transaction failed 29201/-22, size 76-0 line 2855 07:49:48 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x700, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 842.970942] binder: release 14135:14139 transaction 9663 in, still active [ 842.978129] binder: send failed reply for transaction 9663, target dead [ 842.984989] binder: undelivered TRANSACTION_ERROR: 29189 07:49:48 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x4002000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 843.142729] binder: release 14161:14163 transaction 9669 out, still active [ 843.149890] binder: unexpected work type, 4, not freed [ 843.155286] binder: undelivered TRANSACTION_COMPLETE 07:49:48 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 843.295353] binder_alloc: 14161: binder_alloc_buf, no vma [ 843.301064] binder: 14161:14163 transaction failed 29189/-3, size 0-1792 line 2970 07:49:48 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x50000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:48 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:48 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 843.485700] binder: release 14161:14163 transaction 9669 in, still active [ 843.492901] binder: send failed reply for transaction 9669, target dead [ 843.499797] binder: undelivered TRANSACTION_ERROR: 29189 [ 843.510070] binder_alloc: binder_alloc_mmap_handler: 14134 20001000-20004000 already mapped failed -16 [ 843.546432] binder: 14134:14178 got transaction to invalid handle [ 843.552930] binder: 14134:14178 transaction failed 29201/-22, size 76-0 line 2855 [ 843.594547] binder: undelivered TRANSACTION_ERROR: 29201 [ 843.619853] binder: undelivered TRANSACTION_ERROR: 29201 07:49:48 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffff7f, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:48 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1200, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:48 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963c82337b93b607200"}}) 07:49:48 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xe8030000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:48 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 843.737501] binder: unexpected work type, 4, not freed [ 843.742884] binder: undelivered TRANSACTION_COMPLETE [ 843.778574] binder_alloc: 14189: binder_alloc_buf, no vma [ 843.867855] binder: BINDER_SET_CONTEXT_MGR already set 07:49:48 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4800000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 843.897485] binder: 14192:14197 ioctl 40046207 0 returned -16 [ 843.926553] binder: send failed reply for transaction 9676, target dead [ 843.933425] binder: undelivered TRANSACTION_ERROR: 29189 [ 843.982078] binder: 14192:14204 got transaction to invalid handle [ 844.001863] could not allocate digest TFM handle sha1-generic#7;`r [ 844.110265] binder: unexpected work type, 4, not freed [ 844.115682] binder: undelivered TRANSACTION_COMPLETE [ 844.124502] binder_alloc: 14209: binder_alloc_buf, no vma [ 844.169058] binder: send failed reply for transaction 9682, target dead 07:49:49 executing program 2: r0 = socket(0x1e, 0x1, 0x0) sendmsg(r0, &(0x7f00003bbfc8)={&(0x7f0000004b00)=@generic={0x10000000001e, "02ff0100000001000000000000000ae77f5bf86c48020002000000f1ffffff009a480075e6a50000de010300000000e4ff064b3f013a000000080000008f00000000ac50d5fe32c4000000007fffffff6a008356edb9a6341c1fd45624281e00070ecddd0206c39750c40000fd00000900000000000b0000db000004da36"}, 0x80, &(0x7f0000003840), 0x0, &(0x7f000012e000)}, 0x0) fcntl$setstatus(0xffffffffffffffff, 0x4, 0x0) mmap(&(0x7f0000000000/0xfbe000)=nil, 0xfbe000, 0x7, 0x31, 0xffffffffffffffff, 0x0) r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm\x00', 0x0, 0x0) write$P9_RSETATTR(0xffffffffffffffff, &(0x7f0000000540)={0x7, 0x1b, 0x2}, 0x7) r2 = syz_open_procfs(0x0, &(0x7f0000000400)='net/ip_vs\x00') ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0) r3 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$KVM_SMI(r2, 0xaeb7) mmap(&(0x7f0000e73000/0x2000)=nil, 0x2000, 0x0, 0x10, r3, 0x0) remap_file_pages(&(0x7f00002ec000/0x200000)=nil, 0x200000, 0x0, 0x0, 0x0) r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x880, 0x0) r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0) r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r5, 0x4020ae46, &(0x7f0000bf7000)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r6, &(0x7f0000fe8000/0x18000)=nil, &(0x7f0000000500)=[@text64={0x40, &(0x7f0000000480)="660f38816b0066baf80cb8509b4186ef66bafc0cb87a5b0000ef400f09440f20c0350d000000440f22c0b991000040b8e4dd0000ba000000000f30b9800000c00f3235002000000f3066450f083ef2650f01c90f01d1c7442400d3000000c7442402e4000000c7442406000000000f011424", 0x72}], 0x1, 0x0, &(0x7f0000000200), 0x0) ioctl$KVM_REGISTER_COALESCED_MMIO(r5, 0x4010ae67, &(0x7f0000000080)={0x0, 0x10000}) ioctl$KVM_RUN(r6, 0xae80, 0x0) mbind(&(0x7f0000012000/0xc00000)=nil, 0xc00027, 0x0, &(0x7f00000000c0), 0x0, 0x2000000000002) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000380)={&(0x7f0000000340)='/dev/audio\x00'}, 0x10) socket$bt_bnep(0x1f, 0x3, 0x4) [ 844.663532] binder_alloc: binder_alloc_mmap_handler: 14192 20001000-20004000 already mapped failed -16 [ 844.688918] binder: 14192:14221 got transaction to invalid handle [ 844.695248] binder_transaction: 3 callbacks suppressed [ 844.695265] binder: 14192:14221 transaction failed 29201/-22, size 4294967167-0 line 2855 07:49:50 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:50 executing program 7: add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) 07:49:50 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x40020000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:50 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffff7f00000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:50 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300e4ae7bedf18ec000"}}) 07:49:50 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:50 executing program 2: r0 = socket$inet6(0xa, 0x1000000000002, 0x0) ioctl(r0, 0x8912, &(0x7f0000000280)="153f6234488dd25d766070") r1 = socket$inet6(0xa, 0x3, 0x3a) setsockopt$inet6_MRT6_ADD_MIF(0xffffffffffffffff, 0x29, 0xca, &(0x7f0000000000), 0xc) setsockopt$inet6_MRT6_ADD_MFC(r1, 0x29, 0xcc, &(0x7f0000000040)={{0xa, 0x0, 0x0, @loopback}, {0xa, 0x0, 0x0, @mcast1}, 0x0, [0x8001]}, 0x5c) 07:49:50 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$sndpcmc(&(0x7f0000000080)='/dev/snd/pcmC#D#c\x00', 0x400, 0x40000) getsockopt$inet_sctp_SCTP_GET_ASSOC_ID_LIST(r0, 0x84, 0x1d, &(0x7f0000000100)={0x6, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, &(0x7f0000000140)=0x1c) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) [ 845.620103] binder_thread_release: 4 callbacks suppressed [ 845.620114] binder: release 14227:14234 transaction 9689 out, still active [ 845.632849] binder: unexpected work type, 4, not freed [ 845.638206] binder: undelivered TRANSACTION_COMPLETE [ 845.646866] binder_alloc: 14227: binder_alloc_buf, no vma [ 845.652643] binder: 14227:14234 transaction failed 29189/-3, size 0--554050781184 line 2970 [ 845.658114] binder: BINDER_SET_CONTEXT_MGR already set [ 845.678266] binder: 14229:14236 ioctl 40046207 0 returned -16 07:49:50 executing program 2: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000140)="2f70726f632f7379732f6f65742f007076342f76732f6c626c635f65fdb3141cd18a77e5bc003bdf61ba16000000000000000000000000000000003229c5d38377af5af11a7393857682b830a75ba194db9c29bc06afa11ee1f35dd2576742cc2b145a4af8d2d39da1841617c4727ed98ed791fcee89868871e566225e8ba6af2a395e2e6e91d93b8569a106f1a89fd88fe87d6642d563d0603d9a94022ea49c791e8cb75560151d27ac93c86d3ad1229fbd9b565d42205d2d50dcc0a820562792f04be626faddda2aed0c256b350fa1d70f6844b8b9f4c2dc6090855d301e5389687545b7a7116fa235d4afb55ca7bc2a18f6847dfc9d5d2cc7abe7cf78e4112ce458cdf7c64a14f7fa96e34a0804f920701b35b57b5b1c40532083ed9b960d7ca2c55eb5bcfa91bcce44bd37a68543a20798e0672eca", 0x2, 0x0) remap_file_pages(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x1000000, 0x8, 0x2) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) ioctl$VT_ACTIVATE(r0, 0x5606, 0x200) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(r1, 0x40044581, &(0x7f0000000100)=0x350) gettid() 07:49:50 executing program 7: add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) 07:49:50 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x4000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 845.791786] binder: 14229:14249 got transaction to invalid handle [ 845.798240] binder: 14229:14249 transaction failed 29201/-22, size 116-0 line 2855 [ 845.825642] binder: release 14227:14234 transaction 9689 in, still active [ 845.832741] binder: send failed reply for transaction 9689, target dead 07:49:50 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c00, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 845.839584] binder_release_work: 3 callbacks suppressed [ 845.839590] binder: undelivered TRANSACTION_ERROR: 29189 [ 845.991487] binder: release 14259:14262 transaction 9695 out, still active [ 845.998716] binder: unexpected work type, 4, not freed [ 846.004082] binder: undelivered TRANSACTION_COMPLETE 07:49:51 executing program 7: add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) 07:49:51 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xe00000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:51 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 846.116406] binder_alloc: 14259: binder_alloc_buf, no vma [ 846.122145] binder: 14259:14262 transaction failed 29189/-3, size 0-19456 line 2970 07:49:51 executing program 7: socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:51 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a00, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 846.297065] binder: release 14259:14262 transaction 9695 in, still active [ 846.304244] binder: send failed reply for transaction 9695, target dead [ 846.311075] binder: undelivered TRANSACTION_ERROR: 29189 [ 846.434675] binder: release 14283:14285 transaction 9700 out, still active [ 846.441823] binder: unexpected work type, 4, not freed [ 846.447257] binder: undelivered TRANSACTION_COMPLETE [ 846.456371] binder_alloc: binder_alloc_mmap_handler: 14229 20001000-20004000 already mapped failed -16 07:49:51 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x300000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:51 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300d4a959364b6f2c00"}}) [ 846.504456] binder: BINDER_SET_CONTEXT_MGR already set [ 846.532114] binder: 14229:14290 got transaction to invalid handle [ 846.538541] binder: 14229:14290 transaction failed 29201/-22, size 116-0 line 2855 [ 846.567890] binder: 14229:14249 ioctl 40046207 0 returned -16 07:49:51 executing program 7: socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 846.598889] binder_alloc: 14283: binder_alloc_buf, no vma [ 846.604596] binder: 14283:14285 transaction failed 29189/-3, size 0-31232 line 2970 [ 846.620870] binder: undelivered TRANSACTION_ERROR: 29201 [ 846.631824] binder: undelivered TRANSACTION_ERROR: 29201 07:49:51 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x12, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:51 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3f334, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 846.765422] binder: release 14283:14285 transaction 9700 in, still active [ 846.772508] binder: send failed reply for transaction 9700, target dead [ 846.779353] binder: undelivered TRANSACTION_ERROR: 29189 07:49:51 executing program 7: socketpair$unix(0x1, 0x0, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 846.904055] binder: release 14305:14307 transaction 9706 out, still active [ 846.911233] binder: unexpected work type, 4, not freed [ 846.916597] binder: undelivered TRANSACTION_COMPLETE [ 846.925336] binder: BINDER_SET_CONTEXT_MGR already set [ 846.934194] binder: 14303:14306 ioctl 40046207 0 returned -16 [ 846.955757] binder_alloc: 14305: binder_alloc_buf, no vma [ 846.961581] binder: 14305:14307 transaction failed 29189/-3, size 0-258868 line 2970 [ 846.991520] binder: 14303:14310 got transaction to invalid handle [ 846.997889] binder: 14303:14310 transaction failed 29201/-22, size 18-0 line 2855 [ 847.000917] binder: release 14305:14307 transaction 9706 in, still active [ 847.012657] binder: send failed reply for transaction 9706, target dead [ 847.019465] binder: undelivered TRANSACTION_ERROR: 29189 [ 847.692981] binder_alloc: binder_alloc_mmap_handler: 14303 20001000-20004000 already mapped failed -16 [ 847.704116] binder: 14303:14320 got transaction to invalid handle [ 847.710556] binder: 14303:14320 transaction failed 29201/-22, size 18-0 line 2855 [ 847.719092] binder: undelivered TRANSACTION_ERROR: 29201 [ 847.728292] binder: undelivered TRANSACTION_ERROR: 29201 07:49:53 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x600000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:53 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300728237bd84a21900"}}) 07:49:53 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:53 executing program 2: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300e4ae7bedf18ec000"}}) 07:49:53 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x12, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:53 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:53 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f000067e000/0x1000)=nil, 0x1000, 0x2) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r0, &(0x7f00000000c0)=""/11, 0xeb) 07:49:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 848.247092] binder: BINDER_SET_CONTEXT_MGR already set [ 848.268298] binder: 14328:14335 ioctl 40046207 0 returned -16 [ 848.278698] binder: 14324:14338 got transaction to invalid handle [ 848.285106] binder: 14324:14338 transaction failed 29201/-22, size 72-0 line 2855 [ 848.291259] binder: release 14328:14335 transaction 9715 out, still active [ 848.299929] binder: unexpected work type, 4, not freed [ 848.305273] binder: undelivered TRANSACTION_COMPLETE [ 848.367741] binder_alloc: binder_alloc_mmap_handler: 14324 20001000-20004000 already mapped failed -16 [ 848.405758] binder: BINDER_SET_CONTEXT_MGR already set 07:49:53 executing program 2: add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) 07:49:53 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 848.421583] binder: 14324:14331 ioctl 40046207 0 returned -16 [ 848.437386] binder: 14324:14348 got transaction to invalid handle [ 848.445432] binder: 14328:14347 got transaction to invalid handle [ 848.452781] binder: release 14324:14331 transaction 9715 in, still active [ 848.459824] binder: send failed reply for transaction 9715, target dead [ 848.466675] binder: undelivered TRANSACTION_ERROR: 29201 07:49:53 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x18020000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:53 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c00000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 848.495524] binder: undelivered TRANSACTION_ERROR: 29201 07:49:53 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300da28ecaa195a8100"}}) 07:49:53 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 848.728777] binder: 14355:14368 got transaction to invalid handle 07:49:53 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x1800, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:53 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:53 executing program 2: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300b05185cdedc2ce00"}}) 07:49:54 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xa, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:54 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300f08176fac316d600"}}) 07:49:54 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x12000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:54 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:54 executing program 2: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300da28ecaa195a8100"}}) [ 849.205307] binder: BINDER_SET_CONTEXT_MGR already set [ 849.246346] binder: 14392:14394 ioctl 40046207 0 returned -16 [ 849.281406] binder_alloc: binder_alloc_mmap_handler: 14355 20001000-20004000 already mapped failed -16 [ 849.345468] binder: 14392:14399 got transaction to invalid handle [ 849.345553] binder: BINDER_SET_CONTEXT_MGR already set [ 849.429671] binder: send failed reply for transaction 9722 to 14392:14399 [ 849.440393] binder: 14355:14360 ioctl 40046207 0 returned -16 [ 850.018974] binder: undelivered TRANSACTION_COMPLETE 07:49:55 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:55 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xa000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:55 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:55 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300c2784d2090413d00"}}) 07:49:55 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:55 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x700, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:55 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) bind$llc(r0, &(0x7f0000000080)={0x1a, 0xffff, 0xdb94, 0x1, 0x1, 0x0, @dev={[], 0x17}}, 0x10) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) 07:49:55 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x600, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 850.922222] binder: BINDER_SET_CONTEXT_MGR already set [ 850.927762] binder: BINDER_SET_CONTEXT_MGR already set [ 850.933429] binder: 14425:14430 ioctl 40046207 0 returned -16 [ 850.938889] binder: 14422:14432 ioctl 40046207 0 returned -16 [ 850.951285] binder: 14419:14436 got transaction to invalid handle [ 850.957641] binder_transaction: 4 callbacks suppressed [ 850.957661] binder: 14419:14436 transaction failed 29201/-22, size 2305843009213693952-0 line 2855 [ 850.964523] binder_thread_release: 1 callbacks suppressed [ 850.964534] binder: release 14422:14432 transaction 9728 out, still active [ 850.985091] binder: unexpected work type, 4, not freed [ 850.990444] binder: undelivered TRANSACTION_COMPLETE 07:49:56 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x4002, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:56 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269632ccfcfba601d4e0c00"}}) [ 851.043091] binder: 14425:14438 got transaction to invalid handle [ 851.049500] binder: 14425:14438 transaction failed 29201/-22, size 0-1536 line 2855 [ 851.090450] binder: 14422:14443 got transaction to invalid handle [ 851.096843] binder: 14422:14443 transaction failed 29201/-22, size 0-1792 line 2855 [ 851.107498] binder_alloc: binder_alloc_mmap_handler: 14419 20001000-20004000 already mapped failed -16 07:49:56 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 851.153036] binder: BINDER_SET_CONTEXT_MGR already set [ 851.158612] binder: 14419:14444 got transaction to invalid handle [ 851.164985] binder: 14419:14444 transaction failed 29201/-22, size 2305843009213693952-0 line 2855 [ 851.193783] binder: release 14419:14428 transaction 9728 in, still active [ 851.196527] binder: 14419:14428 ioctl 40046207 0 returned -16 [ 851.200977] binder: send failed reply for transaction 9728, target dead [ 851.213604] binder_release_work: 4 callbacks suppressed [ 851.213611] binder: undelivered TRANSACTION_ERROR: 29201 [ 851.224580] binder: send failed reply for transaction 9731 to 14425:14438 [ 851.237891] binder: undelivered TRANSACTION_ERROR: 29201 07:49:56 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:56 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300284441eb1425d300"}}) [ 851.313988] could not allocate digest TFM handle sha1-generic,Ϻ`N 07:49:56 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x2, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:56 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x500000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:56 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:56 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xa00000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 851.640515] binder: 14469:14477 got transaction to invalid handle [ 851.646867] binder: 14469:14477 transaction failed 29201/-22, size 360287970189639680-0 line 2855 07:49:56 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:56 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f000067e000/0x1000)=nil, 0x1000, 0x2) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r0, &(0x7f00000000c0)=""/11, 0xeb) [ 851.777206] binder: undelivered TRANSACTION_ERROR: 29201 [ 851.783606] binder: undelivered TRANSACTION_COMPLETE [ 851.788865] binder: undelivered TRANSACTION_ERROR: 29189 [ 851.832313] binder: undelivered TRANSACTION_ERROR: 29201 07:49:56 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xff0f000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 851.918864] binder: BINDER_SET_CONTEXT_MGR already set 07:49:57 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:57 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 851.964738] binder: 14485:14489 ioctl 40046207 0 returned -16 [ 851.972009] binder_alloc: binder_alloc_mmap_handler: 14469 20001000-20004000 already mapped failed -16 [ 852.004525] binder: BINDER_SET_CONTEXT_MGR already set [ 852.025059] binder: 14469:14493 got transaction to invalid handle [ 852.031466] binder: 14469:14493 transaction failed 29201/-22, size 360287970189639680-0 line 2855 [ 852.035511] binder: release 14485:14491 transaction 9739 out, still active [ 852.048079] binder: unexpected work type, 4, not freed [ 852.053490] binder: undelivered TRANSACTION_COMPLETE [ 852.073666] binder: release 14469:14473 transaction 9739 in, still active [ 852.080772] binder: send failed reply for transaction 9739, target dead [ 852.087624] binder: undelivered TRANSACTION_ERROR: 29201 [ 852.096034] binder: 14469:14473 ioctl 40046207 0 returned -16 [ 852.108381] binder: 14485:14491 got transaction to invalid handle [ 852.114872] binder: 14485:14491 transaction failed 29201/-22, size 0-536870912 line 2855 [ 852.125495] binder: undelivered TRANSACTION_ERROR: 29201 [ 852.728196] binder: undelivered TRANSACTION_ERROR: 29201 07:49:58 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x3c00, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:58 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696317f5e3a7339e6400"}}) 07:49:58 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x600000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:58 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:58 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:58 executing program 2: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300284441eb1425d300"}}) 07:49:58 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe75, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:58 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r0, &(0x7f00000000c0)=""/11, 0x1cf) [ 853.655092] binder: BINDER_SET_CONTEXT_MGR already set [ 853.682006] binder: 14523:14532 ioctl 40046207 0 returned -16 [ 853.695553] binder: 14524:14539 got transaction to invalid handle [ 853.701883] binder: 14524:14539 transaction failed 29201/-22, size 432345564227567616-0 line 2855 [ 853.702124] binder: release 14523:14540 transaction 9746 out, still active [ 853.718032] binder: unexpected work type, 4, not freed [ 853.723367] binder: undelivered TRANSACTION_COMPLETE 07:49:58 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:58 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x240, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 853.754002] binder_alloc: binder_alloc_mmap_handler: 14524 20001000-20004000 already mapped failed -16 [ 853.787777] binder: BINDER_SET_CONTEXT_MGR already set [ 853.794676] could not allocate digest TFM handle sha1-generic3d [ 853.816337] binder: 14524:14529 ioctl 40046207 0 returned -16 [ 853.833284] binder: 14524:14539 got transaction to invalid handle [ 853.839652] binder: 14524:14539 transaction failed 29201/-22, size 432345564227567616-0 line 2855 [ 853.874448] binder: 14523:14540 got transaction to invalid handle [ 853.880545] binder: release 14524:14529 transaction 9746 in, still active [ 853.880846] binder: 14523:14540 transaction failed 29201/-22, size 0-3701 line 2855 [ 853.887755] binder: send failed reply for transaction 9746, target dead [ 853.902556] binder: undelivered TRANSACTION_ERROR: 29201 07:49:58 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630032d6214d27a3b100"}}) 07:49:59 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno', 0x3d, r1}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 854.019338] binder: undelivered TRANSACTION_ERROR: 29201 07:49:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6800000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:59 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:59 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x6000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 854.133609] 9pnet: Insufficient options for proto=fd 07:49:59 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:49:59 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno', 0x3d, r1}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:49:59 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xf401, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:49:59 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000080)='/dev/mixer\x00', 0x400, 0x0) connect$pppoe(r0, &(0x7f0000000100)={0x18, 0x0, {0x4, @local, 'ipddp0\x00'}}, 0x1e) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$UI_DEV_DESTROY(r0, 0x5502) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) [ 854.455543] 9pnet: Insufficient options for proto=fd 07:49:59 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x500000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:49:59 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno'}, 0x2c, {'wfdno', 0x3d, r1}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 854.590718] binder: BINDER_SET_CONTEXT_MGR already set 07:49:59 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xe803, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 854.618093] binder: 14592:14593 ioctl 40046207 0 returned -16 [ 854.658510] binder_alloc: binder_alloc_mmap_handler: 14567 20001000-20004000 already mapped failed -16 [ 854.703204] binder: BINDER_SET_CONTEXT_MGR already set [ 854.734226] 9pnet: Insufficient options for proto=fd [ 854.737044] binder: release 14567:14569 transaction 9753 in, still active [ 854.746510] binder: send failed reply for transaction 9753 to 14592:14594 [ 854.760906] binder: 14567:14569 ioctl 40046207 0 returned -16 07:49:59 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1200000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 855.415117] binder: undelivered TRANSACTION_COMPLETE [ 855.765795] binder_alloc: binder_alloc_mmap_handler: 14608 20001000-20004000 already mapped failed -16 [ 855.784815] binder: BINDER_SET_CONTEXT_MGR already set [ 855.797247] binder: 14608:14613 ioctl 40046207 0 returned -16 07:50:01 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) getsockname$unix(r0, &(0x7f0000000100), &(0x7f0000000080)=0x6e) 07:50:01 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x3, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:01 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno'}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:01 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:01 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630000244c77aba6b700"}}) 07:50:01 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:01 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x700, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 856.718801] binder: release 14621:14628 transaction 9762 out, still active [ 856.725972] binder: unexpected work type, 4, not freed [ 856.731349] binder: undelivered TRANSACTION_COMPLETE [ 856.742221] binder_alloc: 14621: binder_alloc_buf, no vma [ 856.748062] binder_transaction: 5 callbacks suppressed [ 856.748078] binder: 14621:14628 transaction failed 29189/-3, size 0-100663296 line 2970 [ 856.763363] binder: BINDER_SET_CONTEXT_MGR already set [ 856.769663] 9pnet: Insufficient options for proto=fd [ 856.774400] binder: 14624:14633 ioctl 40046207 0 returned -16 07:50:01 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x100000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:01 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno'}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:01 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269632db5cac63c7f998200"}}) 07:50:01 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 856.887129] binder_transaction: 5 callbacks suppressed [ 856.892564] binder: 14624:14639 got transaction to invalid handle [ 856.898850] binder: 14624:14639 transaction failed 29201/-22, size 1792-0 line 2855 [ 856.900585] binder: release 14621:14628 transaction 9762 in, still active [ 856.913745] binder: send failed reply for transaction 9762, target dead [ 856.920721] binder_release_work: 7 callbacks suppressed [ 856.920727] binder: undelivered TRANSACTION_ERROR: 29189 07:50:02 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:02 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 857.100453] binder: release 14649:14651 transaction 9768 out, still active [ 857.107748] binder: unexpected work type, 4, not freed [ 857.113191] binder: undelivered TRANSACTION_COMPLETE [ 857.121608] 9pnet: Insufficient options for proto=fd 07:50:02 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x27519830, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:02 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno'}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:02 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963c75bf96fa49d8600"}}) [ 857.202406] could not allocate digest TFM handle sha1-generic-< [ 857.217497] binder_alloc: 14649: binder_alloc_buf, no vma [ 857.223267] binder: 14649:14651 transaction failed 29189/-3, size 0-1207959552 line 2970 [ 857.295088] binder: release 14649:14651 transaction 9768 in, still active [ 857.302221] binder: send failed reply for transaction 9768, target dead [ 857.309076] binder: undelivered TRANSACTION_ERROR: 29189 [ 857.466902] 9pnet: Insufficient options for proto=fd [ 857.541542] binder_alloc: binder_alloc_mmap_handler: 14624 20001000-20004000 already mapped failed -16 [ 857.562903] could not allocate digest TFM handle sha1-generic[o [ 857.564738] binder: 14624:14680 got transaction to invalid handle [ 857.575914] binder: 14624:14680 transaction failed 29201/-22, size 1792-0 line 2855 [ 857.589268] binder: undelivered TRANSACTION_ERROR: 29201 [ 857.595653] binder: undelivered TRANSACTION_ERROR: 29201 07:50:04 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:04 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfdfdffff00000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:04 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xfeffffff, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:04 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000200)="2f70726f632f7379732f6e657400000000000000072f6578706972655f6e6f646553745f636f6e6e00210b6c12defabad2b644b24020b673ceda34f7b34667180f9270697ce0b53cfffecf1f80f8fffeabf7942754254d82003f6e2cf669c106281089176f1249f2591bf4983519b35eecce64fdd505", 0x2, 0x0) ioctl$SNDRV_TIMER_IOCTL_START(r0, 0x54a0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) write$FUSE_POLL(r0, &(0x7f0000000080)={0x18, 0x0, 0x8, {0xffffffffffff2f6d}}, 0x18) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) 07:50:04 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ptmx\x00', 0x200000000181fd, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) 07:50:04 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963a9fc3a45fc250e00"}}) 07:50:04 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffff7f00000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:04 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 859.094247] binder: release 14696:14702 transaction 9775 out, still active [ 859.101439] binder: unexpected work type, 4, not freed [ 859.106786] binder: undelivered TRANSACTION_COMPLETE [ 859.112896] binder: BINDER_SET_CONTEXT_MGR already set [ 859.134457] binder: 14692:14700 ioctl 40046207 0 returned -16 [ 859.166709] binder_alloc: 14696: binder_alloc_buf, no vma [ 859.172434] binder: 14696:14702 transaction failed 29189/-3, size 0--144678142324244480 line 2970 [ 859.203054] binder: 14692:14708 got transaction to invalid handle [ 859.209515] binder: 14692:14708 transaction failed 29201/-22, size -554050781184-0 line 2855 [ 859.238197] binder: release 14696:14702 transaction 9775 in, still active [ 859.245577] binder: send failed reply for transaction 9775, target dead 07:50:04 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x1000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:04 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:04 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963a11b41855ea15600"}}) [ 859.252455] binder: undelivered TRANSACTION_ERROR: 29189 [ 859.263680] could not allocate digest TFM handle sha1-generic:E% 07:50:04 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000080)='/dev/mixer\x00', 0x10000, 0x0) ioctl$PIO_FONTRESET(r0, 0x4b6d, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) getsockopt$inet_sctp6_SCTP_GET_LOCAL_ADDRS(r0, 0x84, 0x6d, &(0x7f0000000180)={0x0, 0x1000, "400b3cc9744c8e198d3e3fdb0756d48f8b098b4dbada06fe347d722e066b8643b33c35f8597a2ed1a423b69b597957345c5d8646da2846c9b71d3c1cd94db708d4c45fb23ba321fadf8b889110abacf73bde9dada9ed33613ed9b8906cc03078d6e039573f67cbc087fe4bd99f403739597bc037254971167889b3c09bc594d0c293095e2b311ea18727b7749627c9f350c32ced2b4f0126a455e1c8cb065c21548135b36a938bc70d40a29e34e8e5356b49f3be4cfefe451e2e4afb1784bf4e44d0da72f894529d70085c8a474fb2fdffecfcd1674c612699e394cfc8a278870c037827f80e35f85512145bb8a70e1ba5554af7046faa7a8f52a373c54d244352561bb8d11324985af5ca726e44827daf6cd3e8b043c4722aba2397a8fe1c1ea38303213104e30bf854ed8e63bce6e260f390567b4616c4de20c67cfa0f3552c5192ccb0412cecb0d5a24d4fd417b82ae477cdfdfac3fecc2f166ab4b4b6e50388fc38f43e778a0f810cf8d4d48b7ad3f95c9503b00118b6dc91d8c06eddf960c8c3916f4771cd25359839fbd8c233b703df4232e19f644f5c7104614263abe53e13af05bba0b632fdad08885b157c6d7f290f6238a86ad76bd22dd26cc237f01459de6c920ab5ce4847f17bd14a9b0d48ce3461e1b42eb7d54a296cbb317044387f6ed48e8418cce03802c9b10bb73531e68190a2143e6b277dfba6c8a42f8d1c90d45c7a5f15fa5fdb2d2d2fe74cc71318741d09d608d3749e5bce24be64029a41477287fb41616ae9c9f145330f5a9bd56a62219b81e10ebc8dce28a9f60ccc772a2d0d781de00dca05cf82bf2ea38aa3c8993f5b0987d8943eb5adc92bb8dea10f02c6dc5cd2b02cc6d011fdafa5ac3dc7d6a49e6ac1e6a3ed6f9d38c6ae9748e22cb69d1b5ae246577055e213cf493d2143e3a40d4f08f755ded7594f800cff02fc65013d6cf7d5921f1c01e759cf08fe3de8f1b4a3de76b3d48b52a2ea61149cf5eef4b0dacc297c11e5d067dfbc17dc22f3a3723e598441add52e46c44ddeb0e773dbdc91234c839be95a667c87074213d4a0ee6e1afcb4c33f7320ff488d2d3ad95e95126551614a251c0ad42c5885944c5ea0f8ef0f9c957914db89c4ba480d5233ad19693d42c0c9548e62c25767bc489a64dfaaa7d65428cdb3df921e54fb458110d3025478184f1a544b516bf76117a511130a45066aa1c6e444153630d9db78d0b8d47fbb22fdc5a422760d3c134f1dff0874e99756c1d3e7e7d5ee50e824e54de010bf8a292e0b5ec5e7acb0968e12eb0d675a05f863bb0e756205ed6270c064d2e1464729e68f7423f7cafcfdc063dd6c73528a46c601156046080d2cb562f135a0d75b885006269c46f6184d06f7ab8d7c94f9eaffdf3120935d8713a4c0d8a7d693701a7008d54aa38001a286e81b291237bdd60f853f9490260d0db48ae3ec1b13850fe8bbe0901857ff65e33435f0f49323ce0c6d1c2f3dfab517aef21cf930d07b6dd014221458091c29b180eb825392aa0e023998c6d2213bf64061574517bd71875fe002e5b623bef71f83ec48410dfb30cc7e9760ec35c861b02d9f70ee27723641fe9df75c89534abfe45c4547304defd161c83e73bd8fb41e907f59e23eeaec89d13e73cd40408273b6c64cacae8db2c314082b4d01c9be0eabf2f8d77d2998b7826e89292aaf1cbd7a584d77200bf4f3123852d506ddb3da1d368d894a329c4475a6c1ae1deea1bb1034e7e99e36f8c126b4cde52922deea12529dc3d4154fcd039e8a6db4917ab7b21fd1af2c625763bf98d249a68c76b3c445030ea456c9e7e6ef0ead8e63e60f793eb262dee810528b9641b4b54dde5a941ef22a60a5099e743cc8470a1db8cb1130767d728e409c26d86fe318f09ff59e121edee72e936868a62fce244510973ecf7241cc80a10a70df5b72d35e8855a4965199b258204cc742c3c961da04b061267e707acceb4b2d8852b1a496b57e5cfdb58299f107345fc49a95db79c85e73701a01b88313ba3da0c082123b96139499d89114b6cccd176f69874472d1532fbefd3dedd7cb6f9bc673cf5a047a958e233cbd224309ba9734be50011a1cd1c915ab77209104702c6d7cafff061386f900459763b754f42ffc9c6a95cfa0e1d52fc9f7d9dc890acb8900804b17024b2c850127e64648d6e7e380ad36a44cda8130b86588eb1ccb0d473516aaab295900bedf89be6748168927ed47dd0254d606219b97144b94e8dfa4d015de1dc28993c90709fd9cfe5961618beff4bb877810b734468cbd2e28980d3655cb32099b7b1aea85c6dc695ceb10f7a3624931bc8ba58ae4bd70649d68e670be8e8988f6dd5a675efbe8acff6d31e06bddce483659ef51482c97f330dd1696cbc1d1ba29b5c887c7734fe2f3cd2366e441195b19ffdceae69c45733b64884b9f4fa6230ef290ad24a01429c9fd93230d1294b45ee1c37a6cfb12246b82c5a87befc538bd412307da621d2ad5aea02accf08179ca5d35acf415268a68fc4b399e2443ce5cd4ddf7371162840b6954a22b2f67d48ca369fc2123eb395b1f3ac8977afa7e6a011eca02a8253f9261cee552f54c56499de8987db0a7386ecb570d066aabfc7728a3f56fbc6418a8875a0294b748d574997568237c4500ade243bb326c7b6f4bbd13b5d8ad46a51507a6bac4c9b13182ca3d7dc97dd73ef4f33cc5acf14093d5db8dcffb99c70ed8ca212d8adc37449a2743d7d9dd4c74c3d7cd24f96c6dc3d65868be3876cff06be6fcd4bb00d268e8f9280a4448245a63d328a64a42c96effb051769d3ebc924a8e2851bd7944668425710127f19b5f47425044d793d803115ca756046e024674202d5b83f5a813ac2d6b34c06d85d758867f324d0886951e5435d6b1aae1f3a1c855c28e0105a6fe1bd20be51eecd22fd1ed140c2fa9fd52afd0272e743da5d09fdd9ac9b197cc477fbc95ea93aca56bffee6ee45908d35f49e3700c25059b585b57b1a2c61b8dd196e29bcf4c356ed43187da4dabc99402099a9d5e79b52be89172f0e1d6b945f07c75894eb3ca01a25c3cbd556fe31a3231a9c72c20b5edb81cd084a2bf4616a9f76724e4473eafde7daa46fb989eb0e8533e5dd576cb95e63553bd29b4e3d5d49d8cbf3af5a4e898792d52affd1a7de403d3add120b1714574cadc18838485fa954b36340d9349fb310ee6d036f24b33ee8ccffd10ae8abc8922cc2295ec1e6cf0bdff82ac5143239ac6e92d55afd1c964a522a8005089948bed63735653a094fb3f1c63072e2d583a13f512343404998ec906bbf948a6cfb304fa3690e408ef262a4d22309899289638497a9eea451d7a87970807be82440c2aab5f65c2d33094f6d79522af7e979394f5e5e6947862af9e29ad31c040d828e3a309b58046376c05cbc139a3103b235a1a7bec5513570f36782173f35c7361418fb2a1c62ca81ada1777d35924b90f29e6ff4eabcd4f4decd6d1485fd72728703efe446e034a5dcb51ca2a87798839e0862995143f92f853555c719ab9f04f23e21c612e9d482171ad1ba85fa674724a77dd59275a51885546cffb0c6c141c5e89b3078b9c6287c666ad4995726289ae2c288069c266d5bee66642accd2a206f81f9ffce98cae17ef97acc5ab45ccd2227a64cc54350e661cc4b2f9968ab808bc16e569ac83a1a9ff10847489ff92007dc8e0ea40555968c3eab24871cc955e1cc3f22a2867278af47f48ddf1708c34e67a3e5fae137666ba88287165146ed662306eb9d828444bb73389a03f022b54cefd2a3a2e2f61793243ffedf73b008be23cc03a8ac9303a5211bde195f5c51d025d8cb8515768b9ad64c8d7eb17000c0ccbd0acc7d5431e9ac1316b73418af02cdeac7e8600cd4fb19cb8f46700b0b2ad26cd2eb14ac1871a21926833d162d0c79420f7b50dee1e8adcdd19617c35506ed27237fc141c8bd498dfeaaeae9ce635a2251c873ff90d5abed78df7ba7b636c7d10c663e6ff384e9ec1b2b453647731f7f147db29cae9f401a2c4da03927993aab2ac2bfd89c1ca5d9ee798499ba775c086091deb6c6ea9d01a6d205192bec2a727a2d010613860edb0c77aaa7803f1f11eef47bfb17ab575845077392e626c1be07868fdc6682cebfa0a47e8b5ad278573af027115d5b676c8140d3b337af7370c6ac92191054c564d8980819e85228b2b658b6271a9aad38da606d6b870d3f8bab9eb5aa6d633ff8fbfc06551506a6b341733f2cf25b96ede3578f6cfc520c736b0e1fdc02a0bc537eaf8193652596bec1e63223e290a3160c72f6ae57bcbf2b082c137ba909607126f65f26fd4bf63bd2e0bf1f2eaf9e91edd5d21359fd51ae806502c1baf29fc664e267b5884c606ce53c0936b358e16b76d52b846a299f709db1b5d41e4bbaf869d2c212739f6693c27524483de2eca0d64a9da0f8443a63940d04567d3d87d69719349ec74804baec4c93d6b4f9fc4187c991cb1702391ee087cf5d7a011623b3095430c50dcd0e734ae7764e32cdfe4919500f072c40def2032a41a14e53beb51139f3cb043d8214cc0228954f0ff9fbe5515e0ba4915b554ccb3ed6529f2b07e16920b9eeb115868cc62c0615e5b71f4d42e3bb380d9240d40773d8659420f1d38a44a9ec34a0264e04377f36d0bb22f25f9a5188f1aa676e8945c913ac812f6bdf587e7d957aa02da2af067f45edffd8766fe7c9f8f0f85034f0f8dab2a54911fe811627d81986f071e7bcd4ce2f1ce4fd72d06aa9334809e811b8657207feb3eb5890d37b9eebfe80a7ccbc198c9e81a6272960c68a0383b6fcf57760db4bc1245c0452669c2c07fca53c291af0b612c0fad58f1911112aac876baee6077ccd0fe94e26714d8c93247dfcba1b427153328bda0fb8f7d133238382e41cac67ddb30a866324a170c0b9e12c3e500a80ca2a55dfe586b7af25c215be942a0c61968ce19d1ac6704fc137e2da2daad4328b845f477bacb8ac16693caed4c5865b9dc89dc6339f488277e564cf3fd21561d596b1f42d6cfb5cb857148c34abb9432b1c47ec8a3ba8032d8593d0664c76e18cd75655be09411965c80002467831e9f62d9b669e7d4a74377d374c8fb8a60cd88eead322ab4327a6cc748879284cce9e7852a877197b298a2ddaa26b7b7e8ae5623305400e83cb0f6a39b12d3d4082eda893631f9c997ac292e59c84195eb12dd48e496600f6f13ed9b7a7dbef8fe32dc8593735ec0e4d1a516fe05d0a6cdc98516a12dda71eff427732b9b7b285153365a61b30937b6d057b51666f84f2f6f57eab5eb0d6b8be8527371ea414f713c558e19de4a062f432fc771faad5a1d5f361a3f3c629a7081f2ea1e3f0515ddd86bc596d148a2003838ca77f7cc31eafab9cdfba0702814bacb996a322fe87269bc951b621bf81b75ee0ec638c2e979ea48917fc8dd590e4de5c5bf66f8154685abd814516d39fcdef81de15e7fd978f2ce9e8c37430ce1e8bbb459ce0a0ba89871d28d707d2c1812bde4bbb69245b3f2e38c9eb9a2180d9b2cfe6fe5eecaaea6a4de0b0aacaaea16dbe70b8f71b3d18f94d905d5c0094f9afb38bb05f395270afaefab6218f87e76326869c65fafc64e090a8b3e0793408353c09c55264f920b7e0e24d9e6c930d8ffa43fed3445106bb5a9f16e1caa70f23f270d8d74ad0b42b41830db54d02c0bb2a535039a4cb09e4b02e70a6f5c18da0ca5815f5b2527ed5ecafca7503b64a2c8d2b6c0f32c2a110129659160c5b5327071f9b8c293aec52b62342eeb"}, &(0x7f00000000c0)=0x1008) getsockopt$inet_sctp6_SCTP_DEFAULT_PRINFO(r0, 0x84, 0x72, &(0x7f0000000100)={r1, 0x4, 0x30}, &(0x7f00000011c0)=0xc) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r0, &(0x7f0000000140)=""/11, 0xd0) [ 859.406874] binder: release 14720:14722 transaction 9781 out, still active [ 859.414066] binder: unexpected work type, 4, not freed [ 859.419432] binder: undelivered TRANSACTION_COMPLETE 07:50:04 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) 07:50:04 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:04 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x700, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 859.510658] binder_alloc: 14720: binder_alloc_buf, no vma [ 859.516476] binder: 14720:14722 transaction failed 29189/-3, size 0-83886080 line 2970 [ 859.560302] could not allocate digest TFM handle sha1-genericA^V [ 859.587687] could not allocate digest TFM handle sha1-genericA^V [ 859.593071] binder: release 14720:14722 transaction 9781 in, still active [ 859.601323] binder: send failed reply for transaction 9781, target dead 07:50:04 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 859.608139] binder: undelivered TRANSACTION_ERROR: 29189 07:50:04 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269632c11afbbda8f3a00"}}) [ 859.743926] binder: release 14745:14748 transaction 9786 out, still active [ 859.751126] binder: unexpected work type, 4, not freed [ 859.756486] binder: undelivered TRANSACTION_COMPLETE [ 859.772468] binder_alloc: 14745: binder_alloc_buf, no vma [ 859.778281] binder: 14745:14748 transaction failed 29189/-3, size 0-24576 line 2970 [ 859.884637] binder_alloc: binder_alloc_mmap_handler: 14692 20001000-20004000 already mapped failed -16 [ 859.916017] binder: release 14745:14748 transaction 9786 in, still active [ 859.923110] binder: send failed reply for transaction 9786, target dead 07:50:04 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:04 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) [ 859.926997] could not allocate digest TFM handle sha1-generic,ڏ: [ 859.929970] binder: undelivered TRANSACTION_ERROR: 29189 [ 859.945910] binder: 14692:14758 got transaction to invalid handle [ 859.952259] binder: 14692:14758 transaction failed 29201/-22, size -554050781184-0 line 2855 [ 859.998090] binder: undelivered TRANSACTION_ERROR: 29201 [ 860.010410] binder: undelivered TRANSACTION_ERROR: 29201 [ 860.084269] binder: unexpected work type, 4, not freed [ 860.089694] binder: undelivered TRANSACTION_COMPLETE [ 860.155104] binder_alloc: 14762: binder_alloc_buf, no vma [ 860.161016] binder: 14762:14764 transaction failed 29189/-3, size 0-116 line 2970 [ 860.276251] binder: send failed reply for transaction 9793, target dead [ 860.283205] binder: undelivered TRANSACTION_ERROR: 29189 07:50:06 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000200)="2f70726f632f7379732f6e657400000000000000072f6578706972655f6e6f646553745f636f6e6e00210b6c12defabad2b644b24020b673ceda34f7b34667180f9270697ce0b53cfffecf1f80f8fffeabf7942754254d82003f6e2cf669c106281089176f1249f2591bf4983519b35eecce64fdd505", 0x2, 0x0) ioctl$SNDRV_TIMER_IOCTL_START(r0, 0x54a0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) write$FUSE_POLL(r0, &(0x7f0000000080)={0x18, 0x0, 0x8, {0xffffffffffff2f6d}}, 0x18) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) 07:50:06 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x3c, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:06 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x700000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:06 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963bee06138b8125d8d00"}}) 07:50:06 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:06 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x68, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:06 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) [ 861.710121] binder: unexpected work type, 4, not freed [ 861.715587] binder: undelivered TRANSACTION_COMPLETE [ 861.715935] binder: BINDER_SET_CONTEXT_MGR already set [ 861.739489] binder: 14777:14784 ioctl 40046207 0 returned -16 07:50:06 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) getdents64(r0, &(0x7f0000000080), 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) [ 861.758898] binder_alloc: 14779: binder_alloc_buf, no vma [ 861.764549] binder: 14779:14782 transaction failed 29189/-3, size 0-104 line 2970 07:50:06 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x18000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 861.869547] binder: 14777:14799 got transaction to invalid handle [ 861.875943] binder: 14777:14799 transaction failed 29201/-22, size 504403158265495552-0 line 2855 [ 861.889446] could not allocate digest TFM handle sha1-generica8] 07:50:06 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffdfd, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 861.932441] binder_thread_release: 3 callbacks suppressed [ 861.932452] binder: release 14779:14782 transaction 9798 in, still active [ 861.945110] binder: send failed reply for transaction 9798, target dead [ 861.951941] binder: undelivered TRANSACTION_ERROR: 29189 07:50:07 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963005cb4b0c0762600"}}) 07:50:07 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x0) [ 862.082143] binder: release 14807:14810 transaction 9804 out, still active [ 862.089274] binder: unexpected work type, 4, not freed [ 862.094620] binder: undelivered TRANSACTION_COMPLETE 07:50:07 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x3000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 862.138941] binder_alloc: 14807: binder_alloc_buf, no vma [ 862.144699] binder: 14807:14810 transaction failed 29189/-3, size 0-4294966781 line 2970 07:50:07 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 862.295961] binder: release 14807:14810 transaction 9804 in, still active [ 862.303035] binder: send failed reply for transaction 9804, target dead [ 862.309875] binder: undelivered TRANSACTION_ERROR: 29189 07:50:07 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:07 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630046986cd03a5fbe00"}}) [ 862.389481] binder: release 14826:14827 transaction 9809 out, still active [ 862.396648] binder: unexpected work type, 4, not freed [ 862.402009] binder: undelivered TRANSACTION_COMPLETE [ 862.475232] binder_alloc: 14826: binder_alloc_buf, no vma [ 862.480940] binder: 14826:14827 transaction failed 29189/-3, size 0-144115188075855872 line 2970 [ 862.511496] binder_alloc: binder_alloc_mmap_handler: 14777 20001000-20004000 already mapped failed -16 [ 862.536689] binder: BINDER_SET_CONTEXT_MGR already set [ 862.553949] binder: 14777:14799 ioctl 40046207 0 returned -16 [ 862.580766] binder: 14777:14831 got transaction to invalid handle [ 862.587340] binder: 14777:14831 transaction failed 29201/-22, size 504403158265495552-0 line 2855 [ 862.608022] binder: release 14826:14827 transaction 9809 in, still active [ 862.615077] binder: send failed reply for transaction 9809, target dead [ 862.621919] binder: undelivered TRANSACTION_ERROR: 29189 [ 862.649478] binder: undelivered TRANSACTION_ERROR: 29201 [ 862.667660] binder: undelivered TRANSACTION_ERROR: 29201 07:50:09 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x0) 07:50:09 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:09 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x7, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:09 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:09 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfdfdffff, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:09 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:09 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630008097540793ca900"}}) 07:50:09 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0xfffffce7, 0x2, 0x3ff, 0x0, 0x0, 0x0, 0x87f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffd, 0x0, @perf_config_ext={0x9, 0x7f}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) ioctl$PERF_EVENT_IOC_ID(r0, 0x80082407, &(0x7f0000000080)) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xb8) [ 864.320235] binder: release 14856:14857 transaction 9815 out, still active [ 864.327352] binder: unexpected work type, 4, not freed [ 864.332710] binder: undelivered TRANSACTION_COMPLETE [ 864.359816] binder: BINDER_SET_CONTEXT_MGR already set 07:50:09 executing program 7: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x0) [ 864.379199] binder_alloc: 14856: binder_alloc_buf, no vma [ 864.379634] binder: 14855:14863 ioctl 40046207 0 returned -16 [ 864.384854] binder: 14856:14857 transaction failed 29189/-3, size 0-5 line 2970 07:50:09 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963b5f8b65524bd900e00"}}) 07:50:09 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x18, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:09 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6000000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 864.487350] binder: release 14856:14857 transaction 9815 in, still active [ 864.494374] binder: send failed reply for transaction 9815, target dead [ 864.501213] binder: undelivered TRANSACTION_ERROR: 29189 [ 864.525734] binder: release 14870:14872 transaction 9820 out, still active [ 864.532861] binder: unexpected work type, 4, not freed [ 864.538192] binder: undelivered TRANSACTION_COMPLETE [ 864.543723] binder: 14855:14871 got transaction to invalid handle [ 864.550087] binder: 14855:14871 transaction failed 29201/-22, size 4261281791-0 line 2855 [ 864.579600] binder_alloc: 14870: binder_alloc_buf, no vma [ 864.585387] binder: 14870:14872 transaction failed 29189/-3, size 0-1946157056 line 2970 07:50:09 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:09 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x0) [ 864.725466] binder: release 14870:14872 transaction 9820 in, still active [ 864.732638] binder: send failed reply for transaction 9820, target dead [ 864.739446] binder: undelivered TRANSACTION_ERROR: 29189 07:50:09 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1000000007f, 0x40000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r0, &(0x7f00000000c0)=""/11, 0xeb) [ 864.774475] binder: release 14882:14887 transaction 9826 out, still active [ 864.781744] binder: unexpected work type, 4, not freed [ 864.787086] binder: undelivered TRANSACTION_COMPLETE [ 864.805748] binder_alloc: 14882: binder_alloc_buf, no vma [ 864.811547] binder: 14882:14887 transaction failed 29189/-3, size 0-6917529027641081856 line 2970 07:50:09 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x91ffffff00000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:09 executing program 7: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630030d9f91648995d00"}}) [ 864.843554] could not allocate digest TFM handle sha1-genericU$ 07:50:09 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x750e000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:09 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963638ec4f48ac5d19500"}}) [ 864.948718] binder: send failed reply for transaction 9826, target dead [ 864.955654] binder: undelivered TRANSACTION_ERROR: 29189 [ 865.102437] binder: unexpected work type, 4, not freed [ 865.107855] binder: undelivered TRANSACTION_COMPLETE 07:50:10 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x200000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 865.155649] binder_alloc: binder_alloc_mmap_handler: 14855 20001000-20004000 already mapped failed -16 [ 865.170846] binder_alloc: 14908: binder_alloc_buf, no vma [ 865.176722] binder: 14908:14917 transaction failed 29189/-3, size 0-8434679152111517696 line 2970 [ 865.196246] could not allocate digest TFM handle sha1-genericcѕ [ 865.221996] binder: BINDER_SET_CONTEXT_MGR already set [ 865.289590] binder: 14855:14921 got transaction to invalid handle [ 865.316299] binder: 14855:14871 ioctl 40046207 0 returned -16 [ 865.332374] binder: undelivered TRANSACTION_ERROR: 29201 07:50:10 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:10 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963007c6cbdd56620a700"}}) 07:50:10 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7400, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:10 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 865.341505] binder: undelivered TRANSACTION_ERROR: 29201 [ 865.369644] binder: send failed reply for transaction 9831, target dead 07:50:10 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x1802000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:10 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 865.512267] binder: unexpected work type, 4, not freed [ 865.517810] binder: undelivered TRANSACTION_COMPLETE [ 865.558023] binder: BINDER_SET_CONTEXT_MGR already set 07:50:10 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xff0f, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 865.690728] binder: 14936:14948 got transaction to invalid handle [ 865.691406] binder: 14936:14939 ioctl 40046207 0 returned -16 [ 865.710751] binder_alloc: 14929: binder_alloc_buf, no vma [ 865.757452] binder_alloc: binder_alloc_mmap_handler: 14936 20001000-20004000 already mapped failed -16 07:50:10 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269638cb3680e10313200"}}) 07:50:10 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 865.803249] binder: send failed reply for transaction 9837, target dead [ 865.836751] binder: 14936:14948 got transaction to invalid handle 07:50:10 executing program 7: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 866.046317] binder: unexpected work type, 4, not freed [ 866.051752] binder: undelivered TRANSACTION_COMPLETE [ 866.138595] binder_alloc: 14961: binder_alloc_buf, no vma [ 866.221024] could not allocate digest TFM handle sha1-generich12 [ 866.285261] binder: send failed reply for transaction 9845, target dead 07:50:11 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x100000000000000, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:11 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:11 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x900, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:11 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963a41c74acea61b800"}}) 07:50:11 executing program 7: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:50:11 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:11 executing program 5: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) openat(r1, &(0x7f00000000c0)='./file0\x00', 0x800, 0x40) r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000000000000003, 0x8031, r0, 0x0) epoll_ctl$EPOLL_CTL_DEL(r1, 0x2, r2) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000080)) getdents64(r1, &(0x7f0000000040)=""/11, 0xfffffc7d) [ 866.591330] binder: unexpected work type, 4, not freed [ 866.596876] binder: undelivered TRANSACTION_COMPLETE [ 866.606473] binder: BINDER_SET_CONTEXT_MGR already set [ 866.628982] binder: 14979:14988 ioctl 40046207 0 returned -16 [ 866.667612] binder_alloc: 14984: binder_alloc_buf, no vma [ 866.701059] binder: 14979:14995 got transaction to invalid handle [ 866.712564] could not allocate digest TFM handle sha1-genericta 07:50:11 executing program 7: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:50:11 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xf401000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 866.803702] binder: send failed reply for transaction 9850, target dead [ 867.387372] binder_alloc: binder_alloc_mmap_handler: 14979 20001000-20004000 already mapped failed -16 [ 867.419808] binder: 14979:15017 got transaction to invalid handle [ 867.426112] binder_transaction: 7 callbacks suppressed [ 867.426127] binder: 14979:15017 transaction failed 29201/-22, size 1946157056-0 line 2855 [ 867.440422] binder_release_work: 6 callbacks suppressed [ 867.440428] binder: undelivered TRANSACTION_ERROR: 29201 [ 867.458675] binder: undelivered TRANSACTION_ERROR: 29201 07:50:12 executing program 2: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963715b094da3465400"}}) 07:50:12 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:12 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963c25b1892a2c9da00"}}) 07:50:12 executing program 7: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = accept4(0xffffffffffffffff, 0x0, &(0x7f0000000080), 0x80000) setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000100)='scalable\x00', 0x9) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) write$nbd(r0, &(0x7f0000000240)=ANY=[@ANYBLOB="674466980000000000000100010000005fd24e6a4802e106639fb41f25f6374581bc6cbc9df6b5f3474b5c678a14720317b2f555d535e21a5f418dd1960eabd1b9d21ee3760b17f88cf3cfb868912630989cc09eb0abf14594a3b1131b88e90cc5d5b08c742db83467698fc2106f8e362cd9e268e7ea0cb6ba52b249b94410d4570d00"], 0x15) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f00000001c0)='IPVS\x00') sendmsg$IPVS_CMD_GET_DEST(r0, &(0x7f00000003c0)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000200)={&(0x7f0000000300)={0x8c, r2, 0x101, 0x70bd2d, 0x25dfdbfd, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}, @IPVS_CMD_ATTR_DEST={0xc, 0x2, [@IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x3}, @IPVS_CMD_ATTR_DEST={0x54, 0x2, [@IPVS_DEST_ATTR_PERSIST_CONNS={0x8}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e21}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x8}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e20}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x14}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x3}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0xffffffffffffff1b}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x5}]}]}, 0x8c}, 0x1, 0x0, 0x0, 0x8000}, 0x40) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$int_out(r1, 0x5460, &(0x7f0000000140)) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) 07:50:12 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:12 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:12 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xfeffffff00000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 867.963006] binder_thread_release: 9 callbacks suppressed [ 867.963018] binder: release 15022:15027 transaction 9858 out, still active [ 867.975758] binder: unexpected work type, 4, not freed [ 867.981112] binder: undelivered TRANSACTION_COMPLETE [ 868.031753] binder: BINDER_SET_CONTEXT_MGR already set [ 868.061121] binder_alloc: 15022: binder_alloc_buf, no vma [ 868.066392] binder: 15021:15032 ioctl 40046207 0 returned -16 [ 868.066777] binder: 15022:15027 transaction failed 29189/-3, size 0-108 line 2970 07:50:13 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xf4010000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 868.128209] could not allocate digest TFM handle sha1-generic[ [ 868.167069] binder: 15021:15044 got transaction to invalid handle [ 868.173506] binder: 15021:15044 transaction failed 29201/-22, size 536870912-0 line 2855 07:50:13 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696394be02e2ab9b2e00"}}) 07:50:13 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x60, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 868.230221] binder: release 15022:15027 transaction 9858 in, still active [ 868.237257] binder: send failed reply for transaction 9858, target dead [ 868.242663] could not allocate digest TFM handle sha1-genericq[ MFT [ 868.244182] binder: undelivered TRANSACTION_ERROR: 29189 07:50:13 executing program 2: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696375cad30f0493530100"}}) 07:50:13 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:13 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x9000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 868.383877] binder: release 15055:15057 transaction 9864 out, still active [ 868.391187] binder: unexpected work type, 4, not freed [ 868.396513] binder: undelivered TRANSACTION_COMPLETE [ 868.439448] binder_alloc: 15055: binder_alloc_buf, no vma [ 868.445427] binder: 15055:15057 transaction failed 29189/-3, size 0-96 line 2970 [ 868.484042] could not allocate digest TFM handle sha1-generic⫛. [ 868.596691] binder: release 15055:15057 transaction 9864 in, still active [ 868.603784] binder: send failed reply for transaction 9864, target dead [ 868.610630] binder: undelivered TRANSACTION_ERROR: 29189 [ 868.684748] could not allocate digest TFM handle sha1-genericuS [ 868.784643] binder_alloc: binder_alloc_mmap_handler: 15021 20001000-20004000 already mapped failed -16 [ 868.814696] binder: 15021:15076 got transaction to invalid handle [ 868.821146] binder: 15021:15076 transaction failed 29201/-22, size 536870912-0 line 2855 [ 868.876676] binder: undelivered TRANSACTION_ERROR: 29201 [ 868.885518] binder: undelivered TRANSACTION_ERROR: 29201 07:50:14 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x300, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:14 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xe74, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:14 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963b4cab98b9ce20c00"}}) 07:50:14 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:14 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:50:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:14 executing program 7: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = accept4(0xffffffffffffffff, 0x0, &(0x7f0000000080), 0x80000) setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000100)='scalable\x00', 0x9) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) write$nbd(r0, &(0x7f0000000240)=ANY=[@ANYBLOB="674466980000000000000100010000005fd24e6a4802e106639fb41f25f6374581bc6cbc9df6b5f3474b5c678a14720317b2f555d535e21a5f418dd1960eabd1b9d21ee3760b17f88cf3cfb868912630989cc09eb0abf14594a3b1131b88e90cc5d5b08c742db83467698fc2106f8e362cd9e268e7ea0cb6ba52b249b94410d4570d00"], 0x15) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f00000001c0)='IPVS\x00') sendmsg$IPVS_CMD_GET_DEST(r0, &(0x7f00000003c0)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000200)={&(0x7f0000000300)={0x8c, r2, 0x101, 0x70bd2d, 0x25dfdbfd, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}, @IPVS_CMD_ATTR_DEST={0xc, 0x2, [@IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x3}, @IPVS_CMD_ATTR_DEST={0x54, 0x2, [@IPVS_DEST_ATTR_PERSIST_CONNS={0x8}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e21}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x8}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e20}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x14}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x3}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0xffffffffffffff1b}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x5}]}]}, 0x8c}, 0x1, 0x0, 0x0, 0x8000}, 0x40) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$int_out(r1, 0x5460, &(0x7f0000000140)) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) 07:50:14 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) syz_open_dev$mice(&(0x7f0000000500)='/dev/input/mice\x00', 0x0, 0x8002) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) write$P9_RLERRORu(r0, &(0x7f0000000080)={0x36, 0x7, 0x1, {{0x29, '/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00'}, 0x8000}}, 0x36) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) ioctl$KVM_SET_LAPIC(r0, 0x4400ae8f, &(0x7f0000000100)={"08f20306b0e04d419976708793cbc89e9fa4144aa329f8de7bfdd9193f0843a663f6e838fcf89dc5c6a063490de9526daff214a9c4607198701c30332de9bad75fa2df4c22774c72ee4086fff9a93ad73f62cae5961ff3305b5ba8e7ad4b3f69eeeb11c0f5352a329c827030abb4d0fde9f3e28e54305ba6249b9c3964783a8b4c8c8321d3f58286f98c51087ac73e0bc237ebd5818618a0032f5e30cff9328241fe1e7c3a72ed3415e35557e1d0e3d51fbbb5a2c63ab910cfac39540e862a28c593cc09c4fac29bf5874e52d2db9ee2e5496abad937fcc889693a168110f383a3c2e68898ae1d7dd90bd7817e8d5fd1a298346dbc29d8dea049182f3055e1a177f9b0350a5dd1f91a3809d534f6144d9f1334b71ee1bba211c581232dc8ce62ea4f425f4c8a33683a93d7e6bfc1689ecb8be44602f9a0ee002a432c1cc4aa4599da0416d229f2d15d264ea0a426a27d6b0d670bae56a637fa2360dfdc56f96daf3477daff2a93c1c645d33f30a55418f2f1cdca2258605a14f3a53b43144ee53926f2ac2ea4fe779e1ffe0dfd6fa7f270dee1ffcdd5bcad512dec8f10231e2e6dea38ef6697e959d3fbcee33676fea3a9b963d4de8fb4615760c94ac1e5a48f320237d1adff2558ce10f3d0301af93eb918c8355407e86c03424dbcc2d4932d3648f86362fb0d1213fc547892720c3eaf3d70babc2aabf33705ed387f65e16ce0a080631d204d9a001a7094c9e768a3deebe4a522e44909ad71d2296e244536ad5ffdc051ce71a665f5de285051bccafb69dd653fc3d0febc6851c8f06b136ec7ba39e846fad0b92f30b65a2089f6928a193c7078af99bae8f33337277d18aa6f6e1318ebfc973fae6babf3aba5f59811c37f1b03f8080fbfa05f1347744bb80edb2acac3bf1d27fb783cb3259681fed84ed0b60d9f3c6e94ce532cf7b7470694502b03771947aaedd82de6394bfa5e9138cfcf0e5ac744b47be37b2e75e0ed8fba79590909c151e4c79075fe92e38d8314918b0108a64af36a4958496ba545ca3c3a9b2bd68de2f8544ac88401e05565221e7ae97a9b1042712c2471c4f44d3ccdbaaa2da95ec0d68c5cce09623b01279643469ed7301c463a6f7f1af40f2e36aaf4a8a0e4803e90fcc3a5050c072a801719d6f74d96fb0fa00c603844d4608ce2f275135c40aa0a93e9d055503cb506fc28f6111fd87102485fe7af022b6e8c3b4f47cd4aa9b3f3f2c8682d3ccab7bda32632f9a79ea905308ed9bb7907dfe85423cca6376042a297861fd5b0131743f3222dc463ae1e523ea45878cfdc1bd8dc64a3e0ff719a94e36ef8529934b314fc5bda5a1d5142ce4db7093c33b8aa930912cff9a21c8d8a88bb1321838ed3de5d859bb16a63d6448a02d4894c781db475c1bf30ff7f446af27746c8f05d1524ab3c0770e784df0fe4e45beba32f4d"}) [ 869.550298] binder: BINDER_SET_CONTEXT_MGR already set [ 869.565450] binder: 15088:15095 ioctl 40046207 0 returned -16 [ 869.588397] binder: 15086:15103 got transaction to invalid handle [ 869.594828] binder: 15086:15103 transaction failed 29201/-22, size 4-0 line 2855 07:50:14 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x42, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6, 0x0, 0x0, 0x0, 0x9917, 0xffff}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x1000002, 0x800000000008031, 0xffffffffffffffff, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r3}}) add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x24, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 869.653807] could not allocate digest TFM handle sha1-genericʹ [ 869.671336] binder_alloc: binder_alloc_mmap_handler: 15086 20001000-20004000 already mapped failed -16 [ 869.690055] binder: 15088:15108 got transaction to invalid handle [ 869.696480] binder: 15088:15108 transaction failed 29201/-22, size 0-3700 line 2855 07:50:14 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xe00, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:14 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269637c2c58aea0cbee8100"}}) [ 869.718267] binder: BINDER_SET_CONTEXT_MGR already set [ 869.735671] binder: 15086:15093 ioctl 40046207 0 returned -16 [ 869.759706] binder: 15086:15111 got transaction to invalid handle [ 869.766077] binder: 15086:15111 transaction failed 29201/-22, size 4-0 line 2855 [ 869.775955] binder: release 15086:15093 transaction 9872 in, still active [ 869.783029] binder: send failed reply for transaction 9872 to 15088:15108 [ 869.790033] binder: undelivered TRANSACTION_ERROR: 29201 07:50:14 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 869.813210] binder: undelivered TRANSACTION_ERROR: 29201 07:50:14 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:15 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x3c00000000000000, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 870.104341] binder: 15122:15129 got transaction to invalid handle [ 870.110706] binder: 15122:15129 transaction failed 29201/-22, size 2046820352-0 line 2855 [ 870.131745] could not allocate digest TFM handle sha1-generic|,X 07:50:15 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963f09d2eb8a9e8d26e00"}}) 07:50:15 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x740e, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 870.402978] binder: undelivered TRANSACTION_ERROR: 29201 [ 870.411083] binder: undelivered TRANSACTION_COMPLETE [ 870.416408] binder: undelivered TRANSACTION_ERROR: 29189 07:50:15 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x600, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 870.578979] binder: BINDER_SET_CONTEXT_MGR already set 07:50:15 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 870.607296] could not allocate digest TFM handle sha1-generic.n [ 870.626615] binder: 15143:15145 ioctl 40046207 0 returned -16 [ 870.656521] binder_alloc: binder_alloc_mmap_handler: 15122 20001000-20004000 already mapped failed -16 [ 870.694111] binder: BINDER_SET_CONTEXT_MGR already set 07:50:15 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630066c54c4ca1154100"}}) [ 870.736247] binder: 15122:15125 ioctl 40046207 0 returned -16 [ 870.757323] binder: 15143:15147 got transaction to invalid handle [ 870.762633] binder: 15122:15151 got transaction to invalid handle [ 870.763734] binder: 15143:15147 transaction failed 29201/-22, size 0-29710 line 2855 07:50:15 executing program 7: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = accept4(0xffffffffffffffff, 0x0, &(0x7f0000000080), 0x80000) setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000100)='scalable\x00', 0x9) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) write$nbd(r0, &(0x7f0000000240)=ANY=[@ANYBLOB="674466980000000000000100010000005fd24e6a4802e106639fb41f25f6374581bc6cbc9df6b5f3474b5c678a14720317b2f555d535e21a5f418dd1960eabd1b9d21ee3760b17f88cf3cfb868912630989cc09eb0abf14594a3b1131b88e90cc5d5b08c742db83467698fc2106f8e362cd9e268e7ea0cb6ba52b249b94410d4570d00"], 0x15) r2 = syz_genetlink_get_family_id$ipvs(&(0x7f00000001c0)='IPVS\x00') sendmsg$IPVS_CMD_GET_DEST(r0, &(0x7f00000003c0)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f0000000200)={&(0x7f0000000300)={0x8c, r2, 0x101, 0x70bd2d, 0x25dfdbfd, {}, [@IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x9}, @IPVS_CMD_ATTR_DEST={0xc, 0x2, [@IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x7}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x8}, @IPVS_CMD_ATTR_TIMEOUT_UDP={0x8, 0x6, 0x3}, @IPVS_CMD_ATTR_DEST={0x54, 0x2, [@IPVS_DEST_ATTR_PERSIST_CONNS={0x8}, @IPVS_DEST_ATTR_FWD_METHOD={0x8, 0x3, 0x3}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e21}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x8}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e20}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e22}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x14}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0x3}, @IPVS_DEST_ATTR_ACTIVE_CONNS={0x8, 0x7, 0xffffffffffffff1b}, @IPVS_DEST_ATTR_PERSIST_CONNS={0x8, 0x9, 0x5}]}]}, 0x8c}, 0x1, 0x0, 0x0, 0x8000}, 0x40) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$int_out(r1, 0x5460, &(0x7f0000000140)) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) [ 870.781554] binder: release 15122:15125 transaction 9879 in, still active [ 870.788654] binder: send failed reply for transaction 9879 to 15143:15147 07:50:15 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a0e, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:15 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x9, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:16 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269637f770b685299525c00"}}) [ 871.197741] binder: 15165:15171 got transaction to invalid handle [ 871.463748] binder: undelivered TRANSACTION_COMPLETE [ 871.548713] could not allocate digest TFM handle sha1-genericw hRR\ [ 871.949952] binder_alloc: binder_alloc_mmap_handler: 15165 20001000-20004000 already mapped failed -16 [ 871.977718] binder: BINDER_SET_CONTEXT_MGR already set [ 871.983941] binder: 15165:15171 ioctl 40046207 0 returned -16 [ 871.995956] binder: 15165:15185 got transaction to invalid handle 07:50:17 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x40000, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r0, &(0x7f00000000c0)=""/11, 0xeb) 07:50:17 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x500, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:17 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:17 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x700, 0x0, &(0x7f0000000080)}) 07:50:17 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c00, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:17 executing program 7: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963b4cab98b9ce20c00"}}) 07:50:17 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) 07:50:17 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630000000418d757f200"}}) [ 872.708753] binder: BINDER_SET_CONTEXT_MGR already set [ 872.729749] binder: 15192:15199 ioctl 40046207 0 returned -16 [ 872.754796] binder: release 15192:15208 transaction 9888 out, still active [ 872.761929] binder: unexpected work type, 4, not freed [ 872.767399] binder: undelivered TRANSACTION_COMPLETE [ 872.773313] binder_alloc: 15192: binder_alloc_buf, no vma 07:50:17 executing program 2: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f, 0x9, 0x2, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3ff}}, 0x43) add_key$keyring(&(0x7f0000000940)='keyring\x00', &(0x7f0000000540), 0x0, 0x0, r1) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x101000, 0x0) [ 872.779090] binder_transaction: 3 callbacks suppressed [ 872.779108] binder: 15190:15209 transaction failed 29189/-3, size 19456-0 line 2970 [ 872.794373] could not allocate digest TFM handle sha1-genericʹ 07:50:17 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x30985127, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:17 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696371e78cd38a392700"}}) 07:50:17 executing program 7 (fault-call:5 fault-nth:0): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 872.961550] binder_alloc: binder_alloc_mmap_handler: 15190 20001000-20004000 already mapped failed -16 [ 872.970221] binder: 15192:15208 transaction failed 29201/-22, size 0-0 line 2855 [ 873.006081] binder: BINDER_SET_CONTEXT_MGR already set [ 873.021266] binder: 15190:15202 ioctl 40046207 0 returned -16 [ 873.068327] FAULT_INJECTION: forcing a failure. [ 873.068327] name failslab, interval 1, probability 0, space 0, times 0 [ 873.079651] CPU: 0 PID: 15224 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 873.088154] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 873.097515] Call Trace: [ 873.100119] dump_stack+0x1c9/0x2b4 [ 873.103776] ? dump_stack_print_info.cold.2+0x52/0x52 [ 873.109001] should_fail.cold.4+0xa/0x11 [ 873.113093] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 873.118222] ? lock_downgrade+0x8f0/0x8f0 [ 873.122395] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 873.127941] ? proc_fail_nth_write+0x9e/0x210 [ 873.132454] ? find_held_lock+0x36/0x1c0 [ 873.136544] ? check_same_owner+0x340/0x340 [ 873.140874] ? __lock_is_held+0xb5/0x140 [ 873.144944] ? rcu_note_context_switch+0x680/0x680 [ 873.149897] __should_failslab+0x124/0x180 [ 873.154148] should_failslab+0x9/0x14 [ 873.157964] __kmalloc_track_caller+0x2ae/0x720 [ 873.162647] ? strncpy_from_user+0x510/0x510 [ 873.167064] ? strndup_user+0x77/0xd0 [ 873.170899] memdup_user+0x2c/0xa0 [ 873.174446] strndup_user+0x77/0xd0 [ 873.178080] ksys_mount+0x3c/0x140 [ 873.181628] __x64_sys_mount+0xbe/0x150 [ 873.185612] do_syscall_64+0x1b9/0x820 [ 873.189509] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 873.194890] ? syscall_return_slowpath+0x5e0/0x5e0 [ 873.199836] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 873.204687] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 873.209710] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 873.214734] ? prepare_exit_to_usermode+0x291/0x3b0 [ 873.219764] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 873.224717] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 873.229921] RIP: 0033:0x457099 [ 873.233119] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 873.252025] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 873.259740] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 07:50:18 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x1f4, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:18 executing program 2 (fault-call:2 fault-nth:0): write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) [ 873.267012] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 873.274281] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 873.281552] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 873.288822] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000000 [ 873.299096] binder_transaction: 1 callbacks suppressed [ 873.299106] binder: 15190:15229 got transaction to invalid handle [ 873.310866] binder: 15190:15229 transaction failed 29201/-22, size 19456-0 line 2855 07:50:18 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 873.337670] could not allocate digest TFM handle sha1-genericqӊ9' [ 873.371040] binder: release 15190:15202 transaction 9888 in, still active [ 873.378063] binder: send failed reply for transaction 9888, target dead 07:50:18 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696375083da49a5eb400"}}) 07:50:18 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 873.384893] binder_release_work: 6 callbacks suppressed [ 873.384908] binder: undelivered TRANSACTION_ERROR: 29189 [ 873.427352] binder: undelivered TRANSACTION_ERROR: 29201 [ 873.643556] could not allocate digest TFM handle sha1-genericu=^ [ 873.671734] binder: 15245:15257 got transaction to invalid handle [ 873.678058] binder: 15245:15257 transaction failed 29201/-22, size 7-0 line 2855 [ 874.406822] binder_alloc: binder_alloc_mmap_handler: 15245 20001000-20004000 already mapped failed -16 [ 874.416739] binder: BINDER_SET_CONTEXT_MGR already set [ 874.422872] binder: 15245:15257 ioctl 40046207 0 returned -16 [ 874.430377] binder: 15245:15264 got transaction to invalid handle [ 874.436794] binder: 15245:15264 transaction failed 29201/-22, size 7-0 line 2855 [ 874.445344] binder: undelivered TRANSACTION_ERROR: 29201 [ 874.453098] binder: undelivered TRANSACTION_ERROR: 29201 07:50:20 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) 07:50:20 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x60, 0x0, &(0x7f0000000080)}) 07:50:20 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0xa00, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:20 executing program 7 (fault-call:5 fault-nth:1): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:20 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269631500"}}) 07:50:20 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:20 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x60, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:20 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f00000002c0)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$KVM_SET_FPU(r0, 0x41a0ae8d, &(0x7f0000000100)={[], 0x1, 0x5, 0x4, 0x0, 0x7f, 0x100000, 0x6000, [], 0x8000}) socketpair(0xa, 0x1, 0x1, &(0x7f0000000080)) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f0000000300)=""/11, 0xfffffffffffffec3) [ 875.202660] binder: release 15268:15279 transaction 9898 out, still active [ 875.205468] binder: BINDER_SET_CONTEXT_MGR already set [ 875.209837] binder: unexpected work type, 4, not freed [ 875.220506] binder: undelivered TRANSACTION_COMPLETE [ 875.243108] FAULT_INJECTION: forcing a failure. [ 875.243108] name failslab, interval 1, probability 0, space 0, times 0 [ 875.254438] CPU: 1 PID: 15281 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 875.262508] binder: 15270:15283 ioctl 40046207 0 returned -16 [ 875.262937] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 875.262946] Call Trace: [ 875.262987] dump_stack+0x1c9/0x2b4 [ 875.284429] ? dump_stack_print_info.cold.2+0x52/0x52 [ 875.289636] ? __kernel_text_address+0xd/0x40 [ 875.294151] ? unwind_get_return_address+0x61/0xa0 [ 875.298238] could not allocate digest TFM handle sha1-generic [ 875.299106] should_fail.cold.4+0xa/0x11 [ 875.299130] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 875.299150] ? save_stack+0xa9/0xd0 [ 875.299168] ? kasan_kmalloc+0xc4/0xe0 [ 875.299182] ? __kmalloc_track_caller+0x14a/0x720 [ 875.299203] ? memdup_user+0x2c/0xa0 [ 875.330420] ? strndup_user+0x77/0xd0 [ 875.334246] ? graph_lock+0x170/0x170 [ 875.338070] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 875.343622] ? proc_fail_nth_write+0x9e/0x210 [ 875.348134] ? find_held_lock+0x36/0x1c0 [ 875.352309] ? ib_init_ah_attr_from_path+0x4f8/0xb40 [ 875.357445] ? check_same_owner+0x340/0x340 [ 875.361779] ? lock_release+0x9f0/0x9f0 [ 875.365769] ? check_same_owner+0x340/0x340 [ 875.366690] binder_alloc: 15268: binder_alloc_buf, no vma [ 875.370102] ? rcu_note_context_switch+0x680/0x680 [ 875.370120] ? __check_object_size+0xa3/0x5d7 [ 875.370143] __should_failslab+0x124/0x180 [ 875.370163] should_failslab+0x9/0x14 [ 875.370178] kmem_cache_alloc_trace+0x2b5/0x730 [ 875.370205] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 875.375836] binder: 15268:15279 transaction failed 29189/-3, size 0-0 line 2970 [ 875.380671] ? _copy_from_user+0xdf/0x150 [ 875.380693] copy_mount_options+0x5f/0x380 [ 875.380712] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 875.380739] ksys_mount+0xd0/0x140 [ 875.380758] __x64_sys_mount+0xbe/0x150 [ 875.432333] do_syscall_64+0x1b9/0x820 [ 875.436244] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe 07:50:20 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x11, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) [ 875.438997] binder: 15270:15288 got transaction to invalid handle [ 875.441622] ? syscall_return_slowpath+0x5e0/0x5e0 [ 875.441641] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 875.441660] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 875.441676] ? recalc_sigpending_tsk+0x180/0x180 [ 875.441693] ? kasan_check_write+0x14/0x20 [ 875.441714] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 875.441749] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 875.441762] RIP: 0033:0x457099 [ 875.441779] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 875.441788] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 875.441806] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 875.441816] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 875.441825] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 875.441835] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 07:50:20 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:20 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x600000000000000, 0x0, &(0x7f0000000080)}) 07:50:20 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x5, @loopback}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:20 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269637813b022d961ee2900"}}) [ 875.441852] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000001 [ 875.448211] binder: 15270:15288 transaction failed 29201/-22, size 96-0 line 2855 [ 875.538927] binder: release 15268:15279 transaction 9898 in, still active [ 875.563706] binder: send failed reply for transaction 9898, target dead 07:50:20 executing program 7 (fault-call:5 fault-nth:2): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:20 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x2, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) [ 875.804972] binder: release 15304:15309 transaction 9904 out, still active [ 875.812207] binder: unexpected work type, 4, not freed [ 875.817550] binder: undelivered TRANSACTION_COMPLETE [ 875.826971] binder_alloc: 15304: binder_alloc_buf, no vma [ 875.832733] binder: 15304:15309 transaction failed 29189/-3, size 0-0 line 2970 [ 875.873529] FAULT_INJECTION: forcing a failure. [ 875.873529] name failslab, interval 1, probability 0, space 0, times 0 [ 875.884866] CPU: 0 PID: 15313 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 875.887911] binder: release 15304:15309 transaction 9904 in, still active [ 875.893357] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 875.893365] Call Trace: [ 875.893389] dump_stack+0x1c9/0x2b4 [ 875.893413] ? dump_stack_print_info.cold.2+0x52/0x52 [ 875.893431] ? find_held_lock+0x36/0x1c0 [ 875.893467] should_fail.cold.4+0xa/0x11 [ 875.893494] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 875.900432] binder: send failed reply for transaction 9904, target dead [ 875.909984] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 875.910001] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 875.910024] ? find_held_lock+0x36/0x1c0 [ 875.955664] ? check_same_owner+0x340/0x340 [ 875.959996] ? rcu_note_context_switch+0x680/0x680 [ 875.964924] ? copy_mount_options+0x5f/0x380 [ 875.969352] ? ksys_mount+0xd0/0x140 [ 875.973090] __should_failslab+0x124/0x180 [ 875.977329] should_failslab+0x9/0x14 [ 875.981127] kmem_cache_alloc+0x29c/0x710 [ 875.985278] ? find_held_lock+0x36/0x1c0 [ 875.989341] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 875.994100] getname_flags+0xd0/0x5a0 [ 875.997925] ? trace_hardirqs_on_caller+0xc0/0x2b0 [ 876.002862] user_path_at_empty+0x2d/0x50 [ 876.007015] do_mount+0x17f/0x1e30 [ 876.010565] ? copy_mount_string+0x40/0x40 [ 876.014810] ? retint_kernel+0x10/0x10 [ 876.018711] ? copy_mount_options+0x1a1/0x380 [ 876.023215] ? __sanitizer_cov_trace_pc+0x3b/0x50 [ 876.028084] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 876.033627] ? copy_mount_options+0x285/0x380 [ 876.038130] ksys_mount+0x12d/0x140 [ 876.041769] __x64_sys_mount+0xbe/0x150 [ 876.045751] do_syscall_64+0x1b9/0x820 [ 876.049646] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 876.055014] ? syscall_return_slowpath+0x5e0/0x5e0 [ 876.059945] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 876.064801] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 876.069834] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 876.074864] ? prepare_exit_to_usermode+0x291/0x3b0 [ 876.079884] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 876.084737] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 876.089932] RIP: 0033:0x457099 [ 876.093135] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 876.112039] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 07:50:21 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x68000000, 0x0, &(0x7f0000000080)}) [ 876.119753] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 876.127018] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 876.134287] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 876.141552] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 876.148822] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000002 [ 876.161338] binder_alloc: binder_alloc_mmap_handler: 15270 20001000-20004000 already mapped failed -16 [ 876.166402] could not allocate digest TFM handle sha1-genericx"a) [ 876.199525] binder: 15270:15316 got transaction to invalid handle [ 876.205903] binder: 15270:15316 transaction failed 29201/-22, size 96-0 line 2855 07:50:21 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x500, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 876.262807] binder: undelivered TRANSACTION_ERROR: 29201 [ 876.269306] binder: undelivered TRANSACTION_ERROR: 29201 07:50:21 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback=0x7f000501}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:21 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0xf, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) [ 876.335119] binder: release 15324:15327 transaction 9911 out, still active [ 876.342241] binder: unexpected work type, 4, not freed [ 876.347575] binder: undelivered TRANSACTION_COMPLETE 07:50:21 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x34f30300, 0x0, &(0x7f0000000080)}) 07:50:21 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 876.386817] binder_alloc: 15324: binder_alloc_buf, no vma [ 876.392482] binder: 15324:15331 transaction failed 29189/-3, size 0-0 line 2970 [ 876.420433] binder: release 15324:15331 transaction 9911 in, still active [ 876.427519] binder: send failed reply for transaction 9911, target dead [ 876.499707] binder: 15330:15333 got transaction to invalid handle 07:50:21 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x13, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) [ 876.666102] binder: BINDER_SET_CONTEXT_MGR already set 07:50:21 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback=0x7f000003}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 876.695959] binder: 15342:15345 ioctl 40046207 0 returned -16 [ 876.716285] binder_alloc: binder_alloc_mmap_handler: 15330 20001000-20004000 already mapped failed -16 [ 876.752272] binder: BINDER_SET_CONTEXT_MGR already set [ 876.778237] binder: 15342:15349 got transaction to invalid handle [ 876.793215] binder: 15330:15351 got transaction to invalid handle [ 876.821334] binder: release 15330:15332 transaction 9917 in, still active [ 876.828459] binder: send failed reply for transaction 9917 to 15342:15349 [ 876.835464] binder: undelivered TRANSACTION_ERROR: 29201 [ 876.846616] binder: 15330:15332 ioctl 40046207 0 returned -16 [ 876.916217] binder: undelivered TRANSACTION_ERROR: 29201 [ 877.470380] binder: undelivered TRANSACTION_COMPLETE [ 877.475626] binder: undelivered TRANSACTION_ERROR: 29189 07:50:23 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback=0x7f000002}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:23 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963a72066d5bd6c7c00"}}) 07:50:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3f488, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:23 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x14, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) 07:50:23 executing program 7 (fault-call:5 fault-nth:3): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:23 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:23 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x6000, 0x0, &(0x7f0000000080)}) 07:50:23 executing program 5: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000001500)="2f70726f632f7379cba73d875aee9f5f91732f6e6574001d1a96756b43547ea942a421010000006e6f6408000000636f6e6e0001b1db2ee99c03886c3b9dae0873485bcf925f4e803d286a0bfe10f7f26550afb420b89272b73ccb1ea6e602c185106d20ded91788eaef8c83d97b5df75880f8aca1a31b24888962c792bf5158a7ca57fc02ef7db215d5b0983b758295ea69f9ed0fcdfe1d467cff13faf2f71dde46dcb44e188256ac55e453e76c2143949df38f30915bc597665ea4ab459223fed9d0e53b3bcebfcf2140b095c4b5c8c79e24d7fa73ee8700061f26adf048c70dddeea2845c1b27fd2cae4b573047d24022014763303c53fddcb611b41e91deca4d28445472b50971b39c837f90d135ecab0aede49ef2d9b5f84726242ed0280bced00703f781b6700833c30ceec12a09d271fa60bf6f4608515e9095ca97e066c3fb67a111a503ad06674f3b54dd1baa1705d2777980869e2229b5efea43551b6879327915e0", 0x2, 0x0) fcntl$setflags(r0, 0x2, 0x1) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) arch_prctl(0x1007, &(0x7f0000000500)="b4a1c6db2a7b83bddf3d441a8b13c24d45a93a1d9a8b0b50a78dda9598c70ba62fd6c30c6ee6ba7dd1106c09ab626026415ec2bc4918d7a68277cc82e9da8d0f47d1387dfefbed85e4f5aa3740894d40d9929202d6be616c17375e84f688327b545074678ebdba45b739bcabbf5c793d793a488a1b7e7520b95b7ad9f36d418344ef48d22d935ad17755fc6c395d81c8e83bed37b7bc245aae5b397bae7b84882a96cc11182cdb4bd7e534020801fb3071a8da00d2f53a1d29fda8eeada86775d6958baea88c1a4104fd447c25777aa96420f8b6a8f1a96d7a21741512b488d78d4438334fbc6c3a5ab9ce58f6a9c28516d4b7f8dbcd79e3782c3faa91f5de4f52c61040f4629f57c2bd1858a092dde0523253dbb1db13be3261d22e838401d170ae1fcd70a5ca654eac0f74a0b70576ef08a26a4af540a91c30a25f6ea1d075c95d834b46ace06966d3cf734d41d90d364cddfe53c96c266a979077365dd0c940ec8c85faf49ca748cc8677074c348860a838e189d151583846694d0785f3df9b1de58e1c3e7c4ef09f96b5a7b33d63c4f5840d87f55af9f54e4f6f5ac15d88e70ee9dd807ec9014950e09596d678b13675edfc59eb6cfe4d1f2d9010f7769694a2e52efdafac4bd1488f86b9fbd0acc9494a941f5c289dc195cf7a68d181678d0213d26ca138d091a8f29d21e0858fdb84c6eea458ef3047487af962c81bbde5d644fe002d2c097842c41f1054f045f1646b14edfbc9ee92169a3403b798b057cbb2da79d304c9ae1ca5274aecfd334b868fdd29b40e1ee4f8ee987f935c21f11dc6c9fd2bace8d859a1b864a66bac967dcd0b6f3f774501c6c7c055f9a48daffc27077ad6864c63aeb21b8bf8aa16727b0a27110545433523611e3e12f3645e23b5a6c7444e2368a55015b067ac353e5eda2ea6f4e5fec5bd22809034c28434fc728209747b3feea08690f9a702361a7a10c09ce1ebe139a8d5d71ec852cd02abdd7cba1431233809cbedec8934efd0dc2c00ac73cf66a74c2182f4fa7e159b121b78287a2d9ff3bd0108d8e9996aa37b39cb8e91fbe62ccb24a119a669af26a796df1a80a4c7157b4b83fb5df98d66c0d716f43a4a5507203172c778c9c6db7d1214a0073dceecd792bfab7d61fdd050825bcc23417eeb2232b7dcd2c48a7783b9df9995ef68d8b351e542411872f6a915a196760f2514170332ad43f6be72a6bec26d0e9639021a1e685233d9f6bf02d7d8e38d94b9ae35dd369f8cca1bc492487accdb6b94f0449802d64489e26d018e009c08ed6b530a04bfb680dc7592c1a920db875d4bd295306fc26942f8d011fbc54c769ae5d77e17bcedca714323a7ff0bb4398833aebf1fdc235251b2753a8d674e0c6c6a6aa257d272e069cf0db66a493f29c2c0053e01c836315d420a2020a36d837323ee422d5bca357181788c59b94a589345370c60ba779257a02514a3efca867ef1e6420b5b7a71f48d2f4beed5c5a0861c9d96a7ea6d9825931026123271c8a5fe63bb52fa912de5efffe422effc04f4d227dec0549862629f0f3e725e3789c536b153adb3ae5dfffe483aa816cec27f8768d93714879d89e722debbabbd37fc29509c4e2220ebe331c272dd51ace75743d6535d27239dbf16a1536f712fdafa508cdfdc179632667b0033ca8b2b49f0c5c4f5c26965212d72f360cd186052cc5f119955866967f7f2f4f819759cd2c2fd93899aa3b598e0e4be2dce1011fa7dbe5610de5eef17b7afd62be154ab9d2fd50fbbb7083a1e16a72ee8e5113d2527887d28bf91fdf8b6913f7da32918e8c262c375d32603cc6c8cfb894cf59b3539cced0de37f83c95f594b03905e04fcaab7fbb22ff8e5ae61c56a5c4c9b4895072e68be199be4ecadc0a52c9e3aad9e6898bc65c42ae42a98886a39afb180f8eb209e4b7fd9fa02118846a51d8cdedb50dbb2fdd6a811a7eb65bf1f519c51191786a8994bff8d5064646435f35bb3fb06e801e25cfa9f81e8b48244cda975ed664265080b3af9e728379a5b3309071e43d303ddc51e58afa45c2416d560013b6e05ddc8286fad5ce09f19b1223b26f78cce793002a7b9435db6f4ccd1fc02318c703371c03a2f80b4a57706a89aeb7c8e6d02ef12b4a279fa24b1642b7d5d980883e0147b6d891694a868d708c0999a71fa1dad9781fb40f187a33a43ef9fb2ce9ae1db32c1f175109033fa94012f2369e88c0dea07d1d47cd594d96ade6a706615595384a2d94e7e6f7bd4a58cc40a550c6c6a874fcd422fb8e1c6cf0cbe21c256dbe9c08e6056ab1014c4f3f909133d232dff06f66b51a2379cea95e8135dcd371ebe58501905351bb0aef4163dd835b51d5083b897b2e4748a7768642359f96aa453dded288470e898a533caad69c08d20255da39c5b8637760cba6a92cd54f526b091737c57aded97cc2ca42380c3d6de14dcb00d3643037ed45de0722321dc6bc85322939c752028d21d7ee3597462c39098e3d7ee9756f9e778d875e6cc1b4dde06a9e708f4fa577bef57c64e5ecc78a37de18fb688880836f0691365fa8293723401e9f232e67fbcafdfc162b062237c7ee75ad159cebe010aa5fcace2c0f86a6bda1e89845200752d167b994676d0105bbfc1eff5ac5760e6e2b1ec93d2342bfc844883d36e3584efe7f4818386ccae10c45bcce2a69a61ba8e2f43df2b31117e89c0caabee3a2c4899e5bd15c8ea4eb63dff7bca9f77fd493dab44069e7336eb68a4457389a029b115038bf1b5cf687ec218c00ddb224856b3c2998a5ed89fff57a5aee4cddc94999945e3a806f2fd58a21b68bd6d0ce8697ebd3b076b6f29146a00719aa838712f11dc790c22bfc8c2f2a37b51f764f67b926b499cda6bcfcb92ca002631b12cf080f6b9b9d0f912fd5f588c6518102ddcf09234533b95a1132a3d6f56a23a2b711760a03474b3951aed4446a927b251b8b2104ed2e3d3e3b6ae680e76d1d5669cf6228a19e4af0b1f0e5319ad35b72bf28bae831c268a4c7ee4d556985d8460217f7d22e6b080ccadf7c4390a77a879738f9ac31b6561fe6f01396b5d16a12e63e9b2982b6b391b18505e3da03fc7a40bb3094bd36e1c6ff0908c7deb46741c890d4801517308fa85b8aad3fe544f70357036c5e2cd9f8ff7de18c4d122a0154260c700bdb75ddf966aa848e580b7717cacf6121bc6c54b4d72a850836e1b01fea757f3f024bbf3e1ac1ce4e5251fa1d6536ad5e3b0769db6eb771463e99c98c029fc2cd7bc00c87268ee51379c3e6b96834d4baee0818a8679b70679fce53dd1ff71550b3150725120608072d476980ce43a817d9f3c06b8ad8ab967d2f9d0cf9c0c84b096746cc78e9dff6470b84d3e12dcefa667c3b5b40616471305b1a782b9d90d5095ca072d0d9b5edfa09474c935e577a57a23b4cd96eaf7208a33585835f14a253fe1e0e6c9d3933a1b17abd45f95955824d6a4f537d9e290a0b4f5bb864c50c1a47f772eb280812a42a75bff3afadbd3869f047fcd3c7e4133d93f572af1ba4bae7cb05453abfb6a6b835aa471a3a62ceec8db685734533620ad000a626a0cdb05147b894dee72f0fb6b643eaaec5d91645aa75b86f2906e864ed1b6d9df5c8bb219f55fceab84f08532f34c83c2868ab05cff1f1816d21f1430d705dc66f652a1ddd92ca1e1747386e44fbc8e3b78c07b5b64dc5291fb29ab46a6a9e85d47a43c68fef95b29dbb0cbc874633be6a85e1b6540fe928ec331169ca8cd35cb96bf9f79c0140d927b6023328d9715ee2d48e536dd326a7df10019cc058c29d519eb59103da111dd931ed3dbec0a6983c42ef823988e4ed84a640f81b4a1f6e9af79072ff5b24950871847cca7816a0a69774bf0fd5c030818dfaea2c8da7c5de08c53524cfc440746f5eaad4dcff1ed0d20adadecb18dbf08110b9ae644570acf12650ae12bc794d493fec4b8b314ad3d7af774050c15cbd9b96418f47286ab3dd1995fe0600659f0e5bef68441ed9fc12a2b4211d378927ca7909b745313847f3ee88ff369c860fc53d685ad84fcee82bd17ec2b4cd4f265e28e87e3f713812b9d7c6e3d11f9377721494c1cfa14be40f81bda1eea71708cc44d64899d5f67bd655fe3d8a8ece3c65f6f82322b1b8079774029ff39cb130c784661048d096af95f995788fe92ebefc677b1d9e9c6ab52b9275fc8eb2bcb446517a4ab8916ee345ba364ea262b4e3cba1d5cc0c67ee590173cbce4fcc990648cc9ee4f615a775aff41531d0af761e7b973236cfdbff4025baf0720e3e63b27d129420583c03c124c018d93b68521f92329b76e45d9ec62f4e80aff1905a9247547f37f3f00656fe2fa6fa2b88c96f51c60bf172f6c627fc4709edeae9c849b24befe4dae33a7eb70a6db96647e74fde82aeb40e6f6bab06e07c4f84a9e1c971c00d7900fef08ca88d29375793b47e2604df3c68ee3701290f724cac30389a5fd701a03f6d9714af211103aed95f66112f740b00c60e6f26ec15e02f1bebf03da9047870e9212d31a541a56a11b3f87925c951d92c8822b74bafe33da908e149b0c1e5bc2460e508e2126592414077b102e8c07e66fbe4d4fc0e3637cb5ef7f5356c52af59115a52f90fcd1f28e45f188bf5786644f88c040351f858787e962018578af95d3d9df5b6beda832c17959fbad154c6f07856b0b6f9a1ce28ecf8608a5dd59642f89666a24debd496a8cc26c41ef74e9496adcbbd2f7cca6c1a475a4bf299a948c4deed217bd9a23b5e37a86d10ccd3f9c40c7981d928d242387860982112f98f0c6cc1678e9f0bfdf73af95e1b98aa5bd2d83c1fcd89f8a441401477842654c3a2042acefd884d01df36e64f3f45cf0969b9b763523e4b380129df2ad6b93c490e024dafdb5c7ca52bb12d9603dcc83fd15cfea0780672a9481221619408c3014f41fa8e3f80f2d1107af5de72918708187066c694010cb95a1ccc974b72a674d2d23ac32998b50607b4fefd589f146760b8ce65990369c059bbe37e9c3e48fce49e75997be1e187277afdab35f617641259207bb33d9d4fd05df719f589f635d3be00e6f59c14830cb89a36565a3d74ac0a0a22708da87d9cf198c5a9150cf61a4691e0eef02c408a95de9c72b275a888ea89dd937a0815eddb5a3c8d78f8e7cae8cc926b14812461daab0c1f057098552bab5207802f56904e8f68961f98b0a2c0f7d319f902b21393161068f71d2afb9e5b24ace862155b9172d6241a38f98810b4251cb8763287efac8ddee528a7e414e2b9ff50065e6e9d713b0f04cbb8bc79da27d7cf9a27277e17009dfce6fa1268416ccadbb12b6b7051f78eb1ff1e2cc7a187da32da6c1f6b3c30925c38a4e409be50a358a4a0f6356df365c9784584926e101af3252dc8d2d1acc0656ad11fabea257cb98aea78712bcf80f21a88492b4b32e1558eddb79160dfea63f0e21aa8aa0f1d2d67637b01edf69905b35ecf0ef319ff8fa69cccb57d9e3e1f59f5721e49f3e94778aad6baae36177c1fa3368ea148b826a61fab8d962b915469613e7b9fc644393d7e2cc254f8e1a558793ebbdde93ddc16d822b702ae6fe4a42f5e6e8e174fd4651d097def08ba124fd1f9d8bfc6fe5f23c05cf3fe83930813fd0601a29d5dfefabeaae887cd90d8642504a57c61490b4dfd8957fb8cc3b9609e80e899a7a1d073db773be59b26f2c0890e3d374ef517dd906251cf814d4dcb58c7d42af3b6157adb95ee8612f9ce9546a721b999bd1ffdc05223db61c03e0959928342d6168d9c6d3ffa3475a") mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$FICLONE(r1, 0x40049409, r1) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) [ 878.222869] binder: BINDER_SET_CONTEXT_MGR already set [ 878.232257] FAULT_INJECTION: forcing a failure. [ 878.232257] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 878.233014] binder: 15382:15387 ioctl 40046207 0 returned -16 [ 878.244080] CPU: 0 PID: 15385 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 878.244092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 878.244099] Call Trace: [ 878.244135] dump_stack+0x1c9/0x2b4 [ 878.244170] ? dump_stack_print_info.cold.2+0x52/0x52 [ 878.244208] ? mark_held_locks+0x160/0x160 [ 878.283518] should_fail.cold.4+0xa/0x11 [ 878.287585] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 878.292697] ? mark_held_locks+0x160/0x160 [ 878.296930] ? graph_lock+0x170/0x170 [ 878.300732] ? print_usage_bug+0xc0/0xc0 [ 878.304802] ? find_held_lock+0x36/0x1c0 [ 878.308870] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 878.314436] ? should_fail+0x246/0xd86 [ 878.318330] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 878.323440] __alloc_pages_nodemask+0x365/0xd10 [ 878.328110] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 878.332781] ? __alloc_pages_slowpath+0x2cb0/0x2cb0 [ 878.337804] ? find_held_lock+0x36/0x1c0 [ 878.341900] ? trace_hardirqs_off+0xb8/0x2b0 [ 878.346329] cache_grow_begin+0x91/0x710 [ 878.350399] kmem_cache_alloc+0x63a/0x710 [ 878.354571] getname_flags+0xd0/0x5a0 [ 878.358383] ? retint_kernel+0x10/0x10 [ 878.362275] user_path_at_empty+0x2d/0x50 [ 878.366434] do_mount+0x17f/0x1e30 [ 878.369970] ? rcu_is_watching+0x8c/0x150 [ 878.374134] ? copy_mount_string+0x40/0x40 [ 878.378376] ? retint_kernel+0x10/0x10 [ 878.382270] ? copy_mount_options+0x1f0/0x380 [ 878.386769] ? copy_mount_options+0x202/0x380 [ 878.391269] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 878.396808] ? copy_mount_options+0x285/0x380 [ 878.401306] ksys_mount+0x12d/0x140 [ 878.404935] __x64_sys_mount+0xbe/0x150 [ 878.408953] do_syscall_64+0x1b9/0x820 [ 878.412873] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 878.418242] ? syscall_return_slowpath+0x5e0/0x5e0 [ 878.423175] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 878.428206] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 878.433233] ? recalc_sigpending_tsk+0x180/0x180 [ 878.438005] ? kasan_check_write+0x14/0x20 [ 878.442273] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 878.447124] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 878.452311] RIP: 0033:0x457099 [ 878.455506] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 878.474403] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 878.482113] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 878.489383] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 878.496664] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 878.503929] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 878.511198] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000003 07:50:23 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x3, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) [ 878.524073] binder: 15378:15395 got transaction to invalid handle [ 878.530460] binder_transaction: 3 callbacks suppressed [ 878.530477] binder: 15378:15395 transaction failed 29201/-22, size 259208-0 line 2855 [ 878.584846] binder_alloc: binder_alloc_mmap_handler: 15378 20001000-20004000 already mapped failed -16 [ 878.596841] binder: 15382:15396 got transaction to invalid handle [ 878.603280] binder: 15382:15396 transaction failed 29201/-22, size 0-0 line 2855 [ 878.617816] binder: BINDER_SET_CONTEXT_MGR already set [ 878.632912] could not allocate digest TFM handle sha1-generic fսl| [ 878.639828] binder: 15378:15383 ioctl 40046207 0 returned -16 [ 878.650605] binder: 15378:15403 got transaction to invalid handle [ 878.657054] binder: 15378:15403 transaction failed 29201/-22, size 259208-0 line 2855 [ 878.668194] binder: release 15378:15383 transaction 9924 in, still active [ 878.675358] binder: send failed reply for transaction 9924 to 15382:15396 07:50:23 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269639a9d3b4b2dcdcc00"}}) [ 878.682408] binder: undelivered TRANSACTION_ERROR: 29201 07:50:23 executing program 7 (fault-call:5 fault-nth:4): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:23 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffdfd, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:23 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback=0x7f000007}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 878.791562] binder: undelivered TRANSACTION_ERROR: 29201 07:50:23 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0xb, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) 07:50:23 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 878.872493] could not allocate digest TFM handle sha1-generic;K- [ 878.950792] FAULT_INJECTION: forcing a failure. [ 878.950792] name failslab, interval 1, probability 0, space 0, times 0 [ 878.962155] CPU: 1 PID: 15418 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 878.970656] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 878.980018] Call Trace: [ 878.982630] dump_stack+0x1c9/0x2b4 [ 878.986282] ? dump_stack_print_info.cold.2+0x52/0x52 [ 878.991491] ? putname+0xf2/0x130 [ 878.994971] ? filename_lookup+0x397/0x510 [ 878.999229] ? user_path_at_empty+0x40/0x50 [ 879.003570] ? do_mount+0x17f/0x1e30 [ 879.007314] ? __x64_sys_mount+0xbe/0x150 [ 879.011499] should_fail.cold.4+0xa/0x11 [ 879.015587] ? do_raw_spin_unlock+0xa7/0x2f0 [ 879.020021] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 879.025147] ? kasan_check_write+0x14/0x20 [ 879.029413] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 879.034543] ? find_held_lock+0x36/0x1c0 [ 879.038723] ? usbdev_poll+0x198/0x440 [ 879.042663] ? check_same_owner+0x340/0x340 [ 879.047006] ? rcu_note_context_switch+0x680/0x680 [ 879.051974] __should_failslab+0x124/0x180 [ 879.056234] should_failslab+0x9/0x14 [ 879.060060] kmem_cache_alloc_trace+0x2b5/0x730 [ 879.064780] ? kasan_check_write+0x14/0x20 [ 879.069042] vfs_new_fs_context+0x5b/0x720 [ 879.073312] do_mount+0x605/0x1e30 [ 879.076880] ? copy_mount_string+0x40/0x40 [ 879.081141] ? retint_kernel+0x10/0x10 [ 879.085059] ? copy_mount_options+0x1a1/0x380 [ 879.089578] ? __sanitizer_cov_trace_pc+0x48/0x50 [ 879.094442] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 879.101221] ? copy_mount_options+0x285/0x380 [ 879.105753] ksys_mount+0x12d/0x140 [ 879.109407] __x64_sys_mount+0xbe/0x150 [ 879.113412] do_syscall_64+0x1b9/0x820 [ 879.117322] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 879.122711] ? syscall_return_slowpath+0x5e0/0x5e0 [ 879.127680] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 879.132721] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 879.137771] ? recalc_sigpending_tsk+0x180/0x180 [ 879.142549] ? kasan_check_write+0x14/0x20 [ 879.146821] ? trace_hardirqs_off_thunk+0x1a/0x1c 07:50:24 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963cc04716effd83800"}}) 07:50:24 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x10, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) [ 879.151703] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 879.156915] RIP: 0033:0x457099 [ 879.160138] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 879.179055] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 879.186787] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 879.194070] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 07:50:24 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x750e, 0x0, &(0x7f0000000080)}) [ 879.201354] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 879.207879] binder: undelivered TRANSACTION_COMPLETE [ 879.208629] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 879.208640] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000004 [ 879.228588] binder: undelivered TRANSACTION_ERROR: 29189 [ 879.275522] binder: 15424:15439 got transaction to invalid handle [ 879.281904] binder: 15424:15439 transaction failed 29201/-22, size 4294966781-0 line 2855 07:50:24 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback=0x7f000009}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:24 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) r0 = syz_open_dev$dmmidi(&(0x7f0000000000)='/dev/dmmidi#\x00', 0x5, 0x0) getsockopt$inet_sctp6_SCTP_LOCAL_AUTH_CHUNKS(0xffffffffffffffff, 0x84, 0x1b, &(0x7f0000000a80)={0x0, 0x1000, "1664d1947ff0623a9a13699ea52b59f749a6fc52cf32d65404db3e6262cffdbbcd83a5e0ccaa3f3078c1f98a80f5f81bf1136c92c3860d66ad4971695ad596c8293093e1748e0bac9427501137331b3c77652503bcb43961f2a368d58c1a54537a2fef47e0008c65d964a8b15bb671f625a5a19df50d2fdb67a96c6760ecda94d0cd979f1ec871da1163bf8b788293ade4b57f5fd0bc4a277ad01f56cdb9b3e02fe6c692512c441a6c396be75a4ca18431b379b47317fed84d22fa64df325d1e1f9d905189275b64bb6f1237e8530404459dd02a022fedda997534fe1008c235a470c3e649e7ce925117baaf5c8b7e357c4502fb3e65f9d6c07b2bb90e58770bd890c852c0644c5cac029f53d8651f1ab33ab78da095f59490107d52f7693a6d689f13876cf804d701be18e7d1f9b42ec5c14756f1ea6fccb90eae023288f6262be81a9f4e082c8e9c83f51a6eb546c83a68859dd08d4043f83bfa73cf700bbd5364e7193e4e6b73ed52e3791df5d85a5d4e51daf5f435f95c034c2c0cf374d8070bd43358f96642d59a874fb8e26c39e0f63f9664070136798f6a137197f72af29436113dc737a25e3ad3aaef1b95b7b5c5670b24a073971081ca86ff40d4fca13756e43dce3242727796fa83a4778ebb183f30fa0ff1f39fac50096986249a562a63841919ec01f3e16c80aa3cbb8ae93c70feb9900c2fe120527f9b160a33d8ba2075ddca935fdd4bf8e930ffa189c3736c40ab7f00a5cd24f06b38e77098170d66325643675c0a6a7b61f2657282964c58e8a1026833ea95f72e70e3fd0dae14fac9d97cdeb4339667e5d0f549098470fa711ac8a2bb1fc1cdebf79dfa5d2c0bfc058e33c8da5661da9f9e286754634fb6b74b14a3704f2bb446491bb0a5de032f1d853525aebb568dcc21040e65ec749d97ba665f148b4704e2254eaa956a73d8b4246fb4965dc9a1a2478cd46f901898f2c676292a46c61060c5436e10e6a50c470bb0054cfcb833263d7036faa242d54bf26da99aebdfdef7e75e38485c52b75df86cea02565f38c98cfc340950d6893440644066d212383a395e1deb70afcfc22afdaa78694c07adcb3d9a3ce6516f948cdba2e182d7afd71c8d1ec02654c5f56706e4bb14e05bd8bf3decb636e8376962431d00d23f688c69b49b17f35a32a2d06f95ba4aa44554b9ef197a53b00f382ed2539e2f5e4f763d470022994dc2bbd567244ebdbf14a55117b7ae98e4999c9a83c758ebd4b4d109d996d0f477d722af50eca52f67138640fd4a766726592007f401dfbc6959bf54172b3a4d0713ec9fe6f5fc98806173986c17e4feef11a84264b3acd1573d7012524a28d37831d64132ea167d2a402e569d9ecb5f387f023c41aa614f48e53f19b1483e0576752e4459af7f35732f97d95398183e9ce81c65faa26392c172a9608327279e86e7c6fc78069ea0a6bd2755cf15d2b0d8baf3629d95bbf933d306eda03a3c743c36ac62bf1d155819d2337b941cd9d96585bf0559f9836765e9c55fe4d842e0996c51824e4511e23ebf13c9253f84546358ec32dc9f77db9d23e06ac423f1347326ec03c23130e928477f76ded0c495068d6d3bd50cf272ae2b4d8cc1afcfbbff16efe002e0d2c36735a6377c5c2c1c4d6078251883d63a2796846a3d0af88a61ef339de6a83475234f29b59e21afaa48782eb442a214bd656c581093c943f0faf59fdb0a3f090eacf7db987aa6ae78892f7debe4a33a4132708a4907437dce8e55043862ef66b8dd150643281734b2a30d2f95a46d3bc6395554e684e9028c17500d8c1990002d3363b93635f3b83f3678ad3d25a24c65b107836bc3dffc77bd1fc6a467ea91742d591077239adc7e4a8729190b5a08f53710b992b3dc782c91c37e2cf05c50e2a02e75c293ed28186aceadb5c2b418241a78f872e610af34232683eadd5508c3e24aef1e05000943a308b3c8a6a3b30899ff640c959ff7195afcf5741f9121d2ce87ea8b7878e5b7f2687833fe03b2112bf49f5bd2934f864fef30e8bad3ce7b807c4f7483b85da99a9a1d05f085d893c5998c71b6c0bbfd6d034d96d99160d3d20abd70c841612889979023a3622bdec37d00b52f4a9b264fabdeced88ad2a254b8b187937daaa328ae5df93942abd0119d6a1e6e63643bc68fad168aa006bc27acedc0fd69e7f19ebf92713fc662586aa3760b815ec630710db9df283b2076a6df5d210a8f3f34f7bf5c084fc93ada596d73c2c061a052f478cc82c98a8f7b24cfea0d2acc1b1515ad2878cf54ee12554a8ff9eabb8cae0031ca25bb6155bfe241cec787b8c087ef1788217f994f3b97e93890584175467a506a72e5bbfcccdacd7af8296e785d9e1a024e6ea3f987bc94e6ce63bb597f2444eac7790fe5f1d03fbdc49a57e7b3df3b210d8831ae6b9e60e7149774ecd1cf879ee036216e00db45106b427b56c28bdb3e23a3cb040efe20977f2097fc613e797892047525931369b57c115b66e886c8d1f752aec5fa38d823ef928c080c925b4c44a26eb8cf1f3b5208401e0eadb4f444f0b89f5e6b2880bd808a4159e2e73e9b9db148d50e4f463cf0b230d65060eff89e82627c52e730296464875dcd8afbf7bff7b58118ef60b09cd9f5144360240d71f00451c8d179b56ef72c58326622394209cf8121750e81c5eda2fbc227ad6fefc808c606c665ad92a784307da7b5bbf00c110d7c95a8615b2b34c0bfcea36976cdeeb034dd945f2dd4a19b09201c46f3aabf8599b631567abc8bd4c34ed1f9ac7b9134006ac9b1a3d54a8b0ad96225ff6290f591b68e7fec15a1b890da824f4483ea2a08ff3f52a50a3994b1bf80505eb5c59dd295e9ab0ff7064fefc9b7ac7696b7865187b3c5880f60e2b5d8b7b08bca202a4576884ca6a7f035a2a7b0603dc97a017d69abac09c9fc1c7bb1028b1d8118723076e6f185c1ec69e37a77623fffdd27988c50fb6b3a4e5626fc3fbdd0295505d10b98b7bde20e2a867ce7f53101a38693b55a7f1fff3e30dad20e3a9812f6c07875be39b2d7de1ef7f2f89479096b28ecc4ec1a0223b3d36ccfe18d972ae87f6ce62486b721e6b9273d04be0bb946eb67e9086b21bdcb87b4389b2532015c6ad503c7a289f9f0b6b1b74895164798d1dbe3462b4035483ad4f418f7b50ed15016423891395c95d17a216183a598b1cc8d7aee1ed72e8ae732e045f535ff80b704d57a377b13829632cbc2cebe01ae4c59667cb80ecb50857433b37e26867ba8579144775fdff613c2f1fac439bd788bc8a65d9ce41b94c2052a4590975e387bdcc27916ee8420bea857f0252ee8852771510e65111dbd4da75cf20a66b525703a0141cc0cc7a136ddeecd360f7fee4f3daa2e884a49ea1bbde1c82b979fb972a5ce0863bf3e0dece5cf16fef3377062e8f9323fc4f331c005358e9646c2de7a773201ddcd33fa03335bc87f0ffaa73b679c0f88eb3e7fb4432334c3b5c13b5edbc79aa44416d20ee7d8460c153752253b4eb83699b552231dd3f08b9fe5c8ba47ea650b18e2300b62816407c0bed4d7177cefca38be8d137930dd528fb6a52d6236db4a490cee4ab6d549bbc223b0b4949835a70c1daf8bb74f12b5797e8748028bbdf6749a9f14d3462c60fab8bb7c122042e84da96b01ed2416f926cab3094157254ab185d3249c887989148288407b1c151e202719d17e28a84edbf38658bd5afc1d5d176dad165e0969a01d3c77f7eec6cadc6da9570f949f580030a934c6c6f6d42f3a7f8dc26d4205f411a137dc517a112dbb5b899de75a33800caaa1d9ceeab800b05c143a7d97cd9623e97606c72d6c171b8920ff721998a865007846ff54cd6bfa6905302a1865c55947ce143646baa48347ace1f513de1e0cf7cb9afa886a0e77d44a1516686a940a0eb57f3304682fccb59dda430ffc31a93d41be3b03a6eb1f77b5507deee80bd6a20c176aa1fd071593a38251fa7cbc1f8e86b75c3bbea1fdd4604300e528fc124f622c48b7fd2cbdd57309ec3de26ecb09d2be4bb27c45e27be5224fa8bb91d79741842f76fd793c6d0504e17eaf89943a8d16f5549032a3be4c9d40f7674f8940e0bf39120ae8ae9de1e0cadd2ff01cc693083c6526a9d2816b480958d81678bb72da2462dbf0c3fc85b708feda642d8d7efa556868964d7a03e18d0d891c05331cf2e734fbd6befe04702d87fe82bb93247748943a33b952670fcca8291897b43d2275889e17551526e7f956af057fccec9c1c9906f9b16f2c7cf7f406168f6ee0c5cd394c5e3f38d97fa3acae2c728586e78010d19b29d0e9f9a3c31ef6d9e4a4decec4eee46ad3bad88541a4a946357ed4b10fe613da237b7cc85d10b40f44c9d47093d474f420f134348b840ec5cc964c9154d0e05dc837f56df3fea043a3204ead15eb3ad2f6f416ffa138723704f9776079c00a688723da4e9d41d33a48cf264b9d61ade12f769cb0f570e5d6d2436c7c3087a588c270270d2bd7e7ab98d8b44b24b2d015d46e905f027ea2ca82fdca006e1460c3e7990d3192125ded6d089b0f738990b01ff82c89dbe87da35ef077ee059213436b15627997271cbe328a123e1370a8dd1061fbae25a859c2cb7b041949b7d996e2d89429ff4ac1a7b6a83e172ec7c1543a0d13d72b7412c13048afaf853afdba537257177142d115e88c4d15ed28ec254ad05b123c6c83f6512ba4329b2fe94e7004e5f1eb06fef01549b41b6cb3695a86047190a77b1cabdadfc35cdaa24b483e35079d9e208f1d7a4bca51f9839c96fba37b046925a7dd84615c5253010ab287477205e8ac0f14441c64185d81d59d0b0974d5ca5a6061c0002b61093f5e8142727681d9f2833439fe8c237a5d447afbcb5d65ef9aa2f07e562366c76a954bfbf7bd391a9356390b072d40fde751cec8ec7b8be01ba7977a84feef9fa52c4ffcbd3823f02b72bd831d298af9ee40b0254ce040a88844e2523bc77864bc432949596a54873c211535a69f66f43a7bd61b99e0920463774e26b0fda680c5143c581c9a2060487a46de232fe4ab5cf8fcbec4a0de16f4fd653960d5e24f20e23f8c599d033c5404383473a02cd1b285ff7457fd3ba1f185caddb2654e216565d98703fc6597be0b8b8c9facfda939e18422bed9b34bca9215a362ccda2394ad6c7ff4463f2360fe8c82622f2041386cde6d60cdb3aa91f3449218cd73fe715bf81988d2d2e57e69a42b9470bf357e337e7277a60106e8b84fcb868fe0f45aba0db2f13950648fdd4511cd033951023c8c3f11f75e718dcb5b338368a700084fd8f1a33a18cdb356f066a1cf9c504d875bc5986d2e94d6024400f09a5a119e7603204d590b179034dcbb0786ec2a34d21798dab86cd22906a413ffa60d7b55fd636f29ca73a56250e557c1c0702f1075343484a57608deebd83655113476be9f6411213d380632b330ef4b9fe852f7fef2a08808c2ac9617cfb3388ceae4aa4867d70881fc8663993b731cc99315e3b9a0e69ada28daa9803bd33b4f3237a6f335f779d64af51de07ba1f077b90310b9f73ddb0782aba7574fb72795ca502a86dce25252b8b9a882098d47343a2768cce2fd8a187a4e022a4483eff14b6181c672b3791444229605339b95d7896490f1b5b02df6a3760b6d61a76d1f573a5cb5c4d3b216df0b80a10f77979bc529d5a55be1667804722d1516f19202d9dbaecec9ce3b1a4721180a3b428c1414b7561872cf7db349a5ba80b232df6e4e56c080cd0e5513d300296312ac403fa4f5cc23c64fea"}, &(0x7f0000000040)=0x1008) getsockopt$inet_sctp6_SCTP_RTOINFO(r0, 0x84, 0x0, &(0x7f0000000080)={r1, 0x100000001, 0x1, 0x401}, &(0x7f00000000c0)=0x10) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) 07:50:24 executing program 7 (fault-call:5 fault-nth:5): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 879.330826] could not allocate digest TFM handle sha1-genericqn8 07:50:24 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300985bfd37afd03300"}}) [ 879.419000] binder: BINDER_SET_CONTEXT_MGR already set [ 879.434832] binder: 15445:15446 ioctl 40046207 0 returned -16 [ 879.465748] binder: release 15445:15446 transaction 9931 out, still active [ 879.472901] binder: unexpected work type, 4, not freed [ 879.478283] binder: undelivered TRANSACTION_COMPLETE [ 879.484802] binder_alloc: binder_alloc_mmap_handler: 15424 20001000-20004000 already mapped failed -16 [ 879.517655] binder: BINDER_SET_CONTEXT_MGR already set 07:50:24 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 879.567542] binder: 15424:15432 ioctl 40046207 0 returned -16 [ 879.568751] binder: 15424:15462 got transaction to invalid handle [ 879.579869] binder: 15424:15462 transaction failed 29201/-22, size 4294966781-0 line 2855 [ 879.591212] FAULT_INJECTION: forcing a failure. [ 879.591212] name failslab, interval 1, probability 0, space 0, times 0 [ 879.602676] CPU: 0 PID: 15457 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 879.611192] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 879.620555] Call Trace: [ 879.623348] dump_stack+0x1c9/0x2b4 [ 879.627005] ? dump_stack_print_info.cold.2+0x52/0x52 [ 879.632220] ? kernel_text_address+0x79/0xf0 [ 879.632415] binder: release 15424:15432 transaction 9931 in, still active [ 879.636670] should_fail.cold.4+0xa/0x11 [ 879.636698] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 879.636724] ? save_stack+0xa9/0xd0 [ 879.636743] ? save_stack+0x43/0xd0 [ 879.636768] ? kasan_kmalloc+0xc4/0xe0 [ 879.643709] binder: send failed reply for transaction 9931, target dead [ 879.647744] ? vfs_new_fs_context+0x5b/0x720 [ 879.647759] ? do_mount+0x605/0x1e30 [ 879.647772] ? ksys_mount+0x12d/0x140 [ 879.647791] ? __x64_sys_mount+0xbe/0x150 [ 879.652917] binder: undelivered TRANSACTION_ERROR: 29201 [ 879.656506] ? do_syscall_64+0x1b9/0x820 [ 879.656525] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 879.656546] ? find_held_lock+0x36/0x1c0 [ 879.705856] ? check_same_owner+0x340/0x340 [ 879.710188] ? debug_mutex_init+0x2d/0x60 [ 879.714346] ? rcu_note_context_switch+0x680/0x680 [ 879.719286] __should_failslab+0x124/0x180 [ 879.723532] should_failslab+0x9/0x14 [ 879.727335] kmem_cache_alloc_trace+0x2b5/0x730 [ 879.732020] ? rcu_read_lock_sched_held+0x108/0x120 [ 879.737060] ? put_fs_context+0x560/0x560 [ 879.741213] legacy_init_fs_context+0x49/0xd0 [ 879.745728] ? refcount_inc_checked+0x29/0x70 [ 879.750241] vfs_new_fs_context+0x2c6/0x720 [ 879.754583] do_mount+0x605/0x1e30 [ 879.758153] ? rcu_is_watching+0x8c/0x150 [ 879.762311] ? copy_mount_string+0x40/0x40 [ 879.766555] ? retint_kernel+0x10/0x10 [ 879.770456] ? copy_mount_options+0x1f0/0x380 [ 879.774950] ? copy_mount_options+0x202/0x380 [ 879.779480] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 879.785015] ? copy_mount_options+0x285/0x380 [ 879.789510] ksys_mount+0x12d/0x140 [ 879.793135] __x64_sys_mount+0xbe/0x150 [ 879.797118] do_syscall_64+0x1b9/0x820 [ 879.801005] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 879.806370] ? syscall_return_slowpath+0x5e0/0x5e0 [ 879.811302] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 879.816318] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 879.821333] ? recalc_sigpending_tsk+0x180/0x180 [ 879.826085] ? kasan_check_write+0x14/0x20 [ 879.830325] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 879.835177] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 879.840368] RIP: 0033:0x457099 [ 879.843576] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 879.862476] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 879.870192] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 879.877464] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 879.884731] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 879.892024] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 879.899306] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000005 [ 879.909382] binder: 15445:15459 got transaction to invalid handle [ 879.915823] binder: 15445:15459 transaction failed 29201/-22, size 0-0 line 2855 [ 879.990896] binder: undelivered TRANSACTION_ERROR: 29201 07:50:26 executing program 7 (fault-call:5 fault-nth:6): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:26 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback=0x7f00000d}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:26 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000000)=""/230) r1 = dup3(r0, r0, 0x0) getsockopt$bt_l2cap_L2CAP_CONNINFO(r1, 0x6, 0x2, &(0x7f0000000880), &(0x7f00000008c0)=0x6) fremovexattr(r0, &(0x7f0000000140)=@known='system.posix_acl_default\x00') ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r2 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000180)='/dev/dsp\x00'}, 0x10) ioctl$LOOP_SET_STATUS64(r2, 0x4c04, &(0x7f0000000200)={0x0, 0x0, 0x0, 0x2, 0x8001, 0x0, 0x4, 0x7, 0x8, "ec3ef3821adb76d3c7dae54f4651dade43d7b0e08cc35754667cd529fb34e08ef3a93f7360bbf396559f8c4153e6faefaf39598eb6e330ec9a854305e8318d2d", "aba895676ffa1e12fd70aaf76c19037497f0c4d68e6090a73b2225a165c171ffc53428450a9a3784cebee4b4395e83dbd240ab615138570f2c4140743d202fda", "d26d086f7263ca6308ce17d98300927f3618c051934dc0de05b48560cb849695", [0x7, 0x7c]}) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) eventfd2(0xf1fa, 0x80000) 07:50:26 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963905ea8ca6403a000"}}) 07:50:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:26 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x2, 0x0, &(0x7f0000000080)}) 07:50:26 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:26 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000140)='/proc/sys/net/ipv4/vs/expire_quiescent_template\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) accept4$vsock_stream(r0, &(0x7f0000000100)={0x28, 0x0, 0x2710, @host}, 0x10, 0x80000) keyctl$set_reqkey_keyring(0xe, 0x3) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) ioctl$BLKTRACETEARDOWN(r0, 0x1276, 0x0) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) [ 881.164804] binder: BINDER_SET_CONTEXT_MGR already set [ 881.168870] FAULT_INJECTION: forcing a failure. [ 881.168870] name failslab, interval 1, probability 0, space 0, times 0 [ 881.181511] CPU: 1 PID: 15487 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 881.181860] binder: 15481:15490 ioctl 40046207 0 returned -16 [ 881.190011] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 881.190019] Call Trace: [ 881.190043] dump_stack+0x1c9/0x2b4 [ 881.190069] ? dump_stack_print_info.cold.2+0x52/0x52 [ 881.190090] ? is_bpf_text_address+0xd7/0x170 [ 881.190114] ? kernel_text_address+0x79/0xf0 [ 881.215351] binder_alloc: 15481: binder_alloc_buf, no vma [ 881.216748] should_fail.cold.4+0xa/0x11 [ 881.216772] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 881.216797] ? save_stack+0xa9/0xd0 [ 881.221350] binder: 15482:15493 transaction failed 29189/-3, size 117440512-0 line 2970 [ 881.225687] ? save_stack+0x43/0xd0 [ 881.225701] ? kasan_kmalloc+0xc4/0xe0 [ 881.225723] ? kmem_cache_alloc_trace+0x152/0x730 [ 881.239809] binder_alloc: binder_alloc_mmap_handler: 15482 20001000-20004000 already mapped failed -16 [ 881.240407] ? legacy_init_fs_context+0x49/0xd0 [ 881.240422] ? vfs_new_fs_context+0x2c6/0x720 [ 881.240437] ? do_mount+0x605/0x1e30 [ 881.240450] ? ksys_mount+0x12d/0x140 [ 881.240471] ? __x64_sys_mount+0xbe/0x150 [ 881.244354] binder: BINDER_SET_CONTEXT_MGR already set [ 881.252249] ? find_held_lock+0x36/0x1c0 [ 881.252289] ? check_same_owner+0x340/0x340 [ 881.252310] ? rcu_note_context_switch+0x680/0x680 [ 881.256774] binder: 15482:15497 got transaction to invalid handle [ 881.259812] ? rcu_is_watching+0x8c/0x150 [ 881.259828] ? trace_hardirqs_on+0xbd/0x2c0 [ 881.259850] __should_failslab+0x124/0x180 [ 881.259869] should_failslab+0x9/0x14 [ 881.259890] kmem_cache_alloc_trace+0x2b5/0x730 [ 881.264759] binder: 15482:15497 transaction failed 29201/-22, size 117440512-0 line 2855 [ 881.274181] ? legacy_init_fs_context+0x49/0xd0 [ 881.274200] ? rcu_read_lock_sched_held+0x108/0x120 [ 881.274219] ? kmem_cache_alloc_trace+0x324/0x730 [ 881.278985] binder: 15482:15493 ioctl 40046207 0 returned -16 [ 881.283376] ? rcu_read_lock_sched_held+0x108/0x120 [ 881.283399] apparmor_fs_context_alloc+0x43/0xa0 [ 881.283418] security_fs_context_alloc+0x54/0xb0 [ 881.283441] vfs_new_fs_context+0x318/0x720 [ 881.287324] binder: 15481:15495 got transaction to invalid handle [ 881.290961] do_mount+0x605/0x1e30 [ 881.290977] ? rcu_is_watching+0x8c/0x150 [ 881.290991] ? trace_hardirqs_on+0xbd/0x2c0 [ 881.291012] ? copy_mount_string+0x40/0x40 [ 881.295200] binder: 15481:15495 transaction failed 29201/-22, size 0-0 line 2855 [ 881.300441] ? copy_mount_options+0x5f/0x380 [ 881.300459] ? kmem_cache_alloc_trace+0x324/0x730 [ 881.300483] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 881.304895] binder: release 15482:15493 transaction 9937 in, still active [ 881.308848] ? _copy_from_user+0xdf/0x150 [ 881.308871] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 881.308887] ? copy_mount_options+0x285/0x380 [ 881.308907] ksys_mount+0x12d/0x140 [ 881.308926] __x64_sys_mount+0xbe/0x150 [ 881.313877] binder: send failed reply for transaction 9937 to 15481:15495 [ 881.320081] do_syscall_64+0x1b9/0x820 [ 881.320100] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 881.320121] ? syscall_return_slowpath+0x5e0/0x5e0 [ 881.324291] binder: undelivered TRANSACTION_ERROR: 29189 [ 881.328575] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 881.328594] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 881.328613] ? recalc_sigpending_tsk+0x180/0x180 [ 881.503253] ? kasan_check_write+0x14/0x20 [ 881.507500] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 881.512356] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 881.517546] RIP: 0033:0x457099 [ 881.520751] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 881.539652] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 881.547364] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 881.554635] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 07:50:26 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) r0 = add_key$keyring(&(0x7f0000000000)='keyring\x00', &(0x7f0000000040)={0x73, 0x79, 0x7a, 0x2}, 0x0, 0x0, 0xfffffffffffffffd) keyctl$clear(0x7, r0) 07:50:26 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x600, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 881.561908] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 881.569180] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 881.576450] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000006 [ 881.597543] binder: undelivered TRANSACTION_ERROR: 29201 07:50:26 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback=0x7f000500}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 881.621587] could not allocate digest TFM handle sha1-generic^d 07:50:26 executing program 7 (fault-call:5 fault-nth:7): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:26 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={'sha1-generic\x00\x00\x00\x00\x00\x00\x00\n\x00'}}) 07:50:26 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:26 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) vmsplice(r0, &(0x7f0000000240)=[{&(0x7f0000000000)="3d0104b5dc1556427be67c8487ab39592c27edc122ca59b99561f2336223417878fc6207d7227def304c990d20720ad70a3a4bb17918c15ac44f1759a1de8b17841e7477591f69f308537c5c7f32030367cc48fc2f8761ae2056309cadb3ba1e81e0bb55b95fb6350d036b995cd299602714f859ab442246e5a7ff9e8e531c06572172f5e5c00602dbfb2d31da101552a1877be28e75af74fb2df26f13cdaf7b67866124a6bd5578df022974a57247c20b890dc554a334f7a659b07b41f9afb944bb0f36d9", 0xc5}, {&(0x7f0000000140)="191eff8ac056e8f9e812da4377ba8ce27c4e5f310cf84fba3f50c13f", 0x1c}, {&(0x7f0000000180)="b6cc2487937c5a4e28f346a6361d90aa35f790292a7e04bbe02124faaae89c59853af5e664d26598922a3fb99f3b3d13090267563fcee0d5586be8a8a9fd", 0x3e}, {&(0x7f00000001c0)="17f365132ef153e42b7194baf4161600090cc36cd4fb58591e5b152af551c8a1e688a66bc01eb4b513b8fe036b035edc53c44612b21ebe44564dc638ab68e1ef6503861c3732f6bf07", 0x49}], 0x4, 0x2) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) [ 881.918461] binder: 15513:15521 got transaction to invalid handle [ 881.924815] binder: 15513:15521 transaction failed 29201/-22, size 1536-0 line 2855 [ 881.995406] FAULT_INJECTION: forcing a failure. [ 881.995406] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 882.007379] CPU: 0 PID: 15528 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 882.015895] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 882.025260] Call Trace: [ 882.027873] dump_stack+0x1c9/0x2b4 [ 882.031529] ? dump_stack_print_info.cold.2+0x52/0x52 [ 882.036761] should_fail.cold.4+0xa/0x11 [ 882.040850] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 882.045973] ? rcu_is_watching+0x8c/0x150 [ 882.050145] ? graph_lock+0x170/0x170 [ 882.053972] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 882.058676] ? find_held_lock+0x36/0x1c0 [ 882.062782] ? check_same_owner+0x340/0x340 [ 882.067132] ? rcu_note_context_switch+0x680/0x680 [ 882.072093] ? legacy_parse_monolithic+0xde/0x1e0 [ 882.076963] __alloc_pages_nodemask+0x365/0xd10 [ 882.081651] ? find_held_lock+0x36/0x1c0 [ 882.085736] ? __alloc_pages_slowpath+0x2cb0/0x2cb0 [ 882.090781] ? __kmalloc_track_caller+0x26e/0x720 [ 882.095649] ? rcu_is_watching+0x8c/0x150 [ 882.099810] ? trace_hardirqs_on+0xbd/0x2c0 [ 882.104150] ? rcu_pm_notify+0xc0/0xc0 [ 882.108073] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 882.113634] alloc_pages_current+0x10c/0x210 [ 882.118108] get_zeroed_page+0x14/0x50 [ 882.122020] legacy_validate+0x133/0x220 [ 882.126098] ? logfc+0x760/0x760 [ 882.129508] vfs_get_tree+0x144/0x5c0 [ 882.133340] do_mount+0x6f9/0x1e30 [ 882.136907] ? rcu_is_watching+0x8c/0x150 [ 882.141077] ? trace_hardirqs_on+0xbd/0x2c0 [ 882.145437] ? copy_mount_string+0x40/0x40 [ 882.149707] ? copy_mount_options+0x5f/0x380 [ 882.154138] ? kmem_cache_alloc_trace+0x324/0x730 [ 882.159011] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 882.164572] ? _copy_from_user+0xdf/0x150 [ 882.168751] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 882.174310] ? copy_mount_options+0x285/0x380 [ 882.178832] ksys_mount+0x12d/0x140 [ 882.182482] __x64_sys_mount+0xbe/0x150 [ 882.186488] do_syscall_64+0x1b9/0x820 [ 882.190440] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 882.195820] ? syscall_return_slowpath+0x5e0/0x5e0 [ 882.200769] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 882.205803] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 882.210844] ? recalc_sigpending_tsk+0x180/0x180 [ 882.211459] binder: undelivered TRANSACTION_COMPLETE [ 882.215615] ? kasan_check_write+0x14/0x20 [ 882.215639] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 882.215664] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 882.215678] RIP: 0033:0x457099 [ 882.215695] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 882.215704] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 882.215723] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 882.215732] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 882.215742] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 882.215752] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 07:50:27 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0xe75, 0x0, &(0x7f0000000080)}) 07:50:27 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback=0x7f000008}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:27 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = dup(r0) ioctl$UI_DEV_DESTROY(r1, 0x5502) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) [ 882.215761] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000007 [ 882.303837] binder: undelivered TRANSACTION_ERROR: 29189 07:50:27 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963570dee13c8ece200"}}) [ 882.459078] binder: BINDER_SET_CONTEXT_MGR already set [ 882.486511] binder: 15539:15541 ioctl 40046207 0 returned -16 [ 882.528612] binder_alloc: binder_alloc_mmap_handler: 15513 20001000-20004000 already mapped failed -16 [ 882.557312] binder: BINDER_SET_CONTEXT_MGR already set 07:50:27 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x3, 0x12, &(0x7f0000000140)=""/230) r0 = syz_open_dev$dspn(&(0x7f0000000000)='/dev/dsp#\x00', 0xc0, 0x22000) ioctl$KVM_REGISTER_COALESCED_MMIO(r0, 0x4010ae67, &(0x7f0000000040)={0x4000, 0x15000}) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) 07:50:27 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 882.579147] binder: 15539:15553 got transaction to invalid handle [ 882.580215] binder: 15513:15517 ioctl 40046207 0 returned -16 [ 882.616325] binder: release 15513:15517 transaction 9945 in, still active 07:50:27 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback=0x7f00000a}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 882.623453] binder: send failed reply for transaction 9945 to 15539:15553 [ 882.630472] binder: undelivered TRANSACTION_ERROR: 29201 [ 882.637820] could not allocate digest TFM handle sha1-genericW  [ 882.655270] could not allocate digest TFM handle sha1-genericW  [ 882.685363] binder: undelivered TRANSACTION_ERROR: 29201 07:50:27 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 883.272268] binder: undelivered TRANSACTION_COMPLETE [ 883.697720] binder_alloc: binder_alloc_mmap_handler: 15576 20001000-20004000 already mapped failed -16 [ 883.707616] binder: BINDER_SET_CONTEXT_MGR already set [ 883.713221] binder: 15576:15581 ioctl 40046207 0 returned -16 [ 883.720592] binder_transaction: 2 callbacks suppressed [ 883.720601] binder: 15576:15585 got transaction to invalid handle [ 883.732327] binder_transaction: 3 callbacks suppressed [ 883.732344] binder: 15576:15585 transaction failed 29201/-22, size 6-0 line 2855 [ 883.746085] binder_release_work: 1 callbacks suppressed [ 883.746092] binder: undelivered TRANSACTION_ERROR: 29201 [ 883.766909] binder: undelivered TRANSACTION_ERROR: 29201 07:50:28 executing program 7 (fault-call:5 fault-nth:8): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:28 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963d3309f0200"}}) 07:50:28 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) r0 = openat$vsock(0xffffffffffffff9c, &(0x7f0000000180)='/dev/vsock\x00', 0x80, 0x0) ioctl$UFFDIO_WAKE(r0, 0x8010aa02, &(0x7f0000000040)={&(0x7f0000ffe000/0x2000)=nil, 0x2000}) 07:50:28 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:28 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback=0x7f00000b}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:28 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x400000000000000, 0x0, &(0x7f0000000080)}) 07:50:29 executing program 5: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r0, &(0x7f00000000c0)=""/11, 0xeb) 07:50:29 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a0e000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 884.050200] Unknown ioctl -2146391550 [ 884.063273] binder: release 15594:15602 transaction 9954 out, still active [ 884.071116] binder: unexpected work type, 4, not freed [ 884.076464] binder: undelivered TRANSACTION_COMPLETE [ 884.079553] Unknown ioctl -2146391550 [ 884.087179] binder: BINDER_SET_CONTEXT_MGR already set [ 884.094257] FAULT_INJECTION: forcing a failure. [ 884.094257] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 884.106130] CPU: 1 PID: 15600 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 884.114635] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 884.123998] Call Trace: [ 884.125555] could not allocate digest TFM handle sha1-generic0 [ 884.126606] dump_stack+0x1c9/0x2b4 [ 884.126630] ? dump_stack_print_info.cold.2+0x52/0x52 [ 884.126664] should_fail.cold.4+0xa/0x11 07:50:29 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963911fea41e1bc9400"}}) 07:50:29 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) openat$null(0xffffffffffffff9c, &(0x7f0000000040)='/dev/null\x00', 0x400040, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) r0 = openat$mixer(0xffffffffffffff9c, &(0x7f0000000000)='/dev/mixer\x00', 0x0, 0x0) ioctl$TCSBRK(r0, 0x5409, 0x1) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) 07:50:29 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback=0x7f000004}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 884.126698] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 884.126716] ? rcu_is_watching+0x8c/0x150 [ 884.126749] ? graph_lock+0x170/0x170 [ 884.126765] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 884.126799] ? find_held_lock+0x36/0x1c0 [ 884.167334] binder: 15596:15603 ioctl 40046207 0 returned -16 [ 884.167639] ? check_same_owner+0x340/0x340 [ 884.167662] ? rcu_note_context_switch+0x680/0x680 [ 884.182800] ? legacy_parse_monolithic+0xde/0x1e0 [ 884.187723] __alloc_pages_nodemask+0x365/0xd10 [ 884.192412] ? find_held_lock+0x36/0x1c0 [ 884.196491] ? __alloc_pages_slowpath+0x2cb0/0x2cb0 [ 884.201344] binder_alloc: 15594: binder_alloc_buf, no vma [ 884.201524] ? __kmalloc_track_caller+0x26e/0x720 [ 884.207225] binder: 15594:15602 transaction failed 29189/-3, size 0-0 line 2970 [ 884.211904] ? rcu_is_watching+0x8c/0x150 [ 884.211918] ? trace_hardirqs_on+0xbd/0x2c0 [ 884.211934] ? rcu_pm_notify+0xc0/0xc0 [ 884.211963] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 884.237297] alloc_pages_current+0x10c/0x210 [ 884.241746] get_zeroed_page+0x14/0x50 [ 884.245674] legacy_validate+0x133/0x220 [ 884.249753] ? logfc+0x760/0x760 [ 884.253140] vfs_get_tree+0x144/0x5c0 [ 884.256960] do_mount+0x6f9/0x1e30 [ 884.260516] ? rcu_is_watching+0x8c/0x150 [ 884.264678] ? trace_hardirqs_on+0xbd/0x2c0 [ 884.269027] ? copy_mount_string+0x40/0x40 [ 884.273286] ? copy_mount_options+0x5f/0x380 [ 884.277711] ? kmem_cache_alloc_trace+0x324/0x730 [ 884.282591] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 884.288149] ? copy_mount_options+0x285/0x380 [ 884.292664] ksys_mount+0x12d/0x140 [ 884.296311] __x64_sys_mount+0xbe/0x150 [ 884.300307] do_syscall_64+0x1b9/0x820 [ 884.304215] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 884.309654] ? syscall_return_slowpath+0x5e0/0x5e0 [ 884.314606] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 884.319469] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 884.324501] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 884.329535] ? prepare_exit_to_usermode+0x291/0x3b0 [ 884.334570] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 884.339458] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 884.344658] RIP: 0033:0x457099 [ 884.347868] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 884.360542] binder: 15596:15613 got transaction to invalid handle [ 884.366784] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 884.366803] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 884.366813] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 07:50:29 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x4c000000, 0x0, &(0x7f0000000080)}) [ 884.366823] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 884.366832] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 884.366842] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000008 [ 884.404852] binder: release 15594:15602 transaction 9954 in, still active [ 884.410301] binder: 15596:15613 transaction failed 29201/-22, size 8794967122301157376-0 line 2855 [ 884.417583] binder: send failed reply for transaction 9954, target dead 07:50:29 executing program 7 (fault-call:5 fault-nth:9): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 884.513858] could not allocate digest TFM handle sha1-genericAἔ 07:50:29 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963005cdb5cd38e627000"}}) 07:50:29 executing program 2: r0 = semget(0x1, 0x1, 0x22a) semctl$SEM_STAT(r0, 0x4, 0x12, &(0x7f0000000000)=""/232) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) r1 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r2 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000140)='/dev/qat_adf_ctl\x00', 0x200400, 0x0) ioctl$UFFDIO_UNREGISTER(r2, 0x8010aa01, &(0x7f0000000180)={&(0x7f0000ffc000/0x4000)=nil, 0x4000}) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT(r2, 0xc0a85352, &(0x7f00000001c0)={{0x8, 0x2}, 'port1\x00', 0x4, 0x8, 0x1, 0x7, 0xfffffffffffffff9, 0x2f, 0xfff, 0x0, 0x1, 0x3ff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x1) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) 07:50:29 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback, [0xe]}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:29 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 884.569215] binder: release 15631:15636 transaction 9960 out, still active [ 884.576474] binder: unexpected work type, 4, not freed [ 884.581924] binder: undelivered TRANSACTION_COMPLETE [ 884.601795] binder_alloc: 15631: binder_alloc_buf, no vma [ 884.607471] binder: 15631:15636 transaction failed 29189/-3, size 0-0 line 2970 07:50:29 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x750e0000, 0x0, &(0x7f0000000080)}) [ 884.673837] binder: release 15631:15636 transaction 9960 in, still active [ 884.680885] binder: send failed reply for transaction 9960, target dead [ 884.817737] FAULT_INJECTION: forcing a failure. [ 884.817737] name failslab, interval 1, probability 0, space 0, times 0 [ 884.829146] CPU: 0 PID: 15644 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 884.837649] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 884.847011] Call Trace: [ 884.849632] dump_stack+0x1c9/0x2b4 [ 884.853289] ? dump_stack_print_info.cold.2+0x52/0x52 [ 884.858497] ? __schedule+0x884/0x1df0 [ 884.862417] should_fail.cold.4+0xa/0x11 [ 884.862556] binder_alloc: binder_alloc_mmap_handler: 15596 20001000-20004000 already mapped failed -16 [ 884.866504] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 884.866537] ? ___might_sleep+0xf7/0x330 [ 884.866563] ? kasan_check_read+0x11/0x20 [ 884.883570] binder: 15596:15651 got transaction to invalid handle [ 884.885171] ? rcu_is_watching+0x8c/0x150 [ 884.885198] ? find_held_lock+0x36/0x1c0 [ 884.885254] ? check_same_owner+0x340/0x340 [ 884.889425] binder: 15596:15651 transaction failed 29201/-22, size 8794967122301157376-0 line 2855 [ 884.895621] ? rcu_note_context_switch+0x680/0x680 [ 884.895636] ? __kmalloc_track_caller+0x26e/0x720 [ 884.895657] __should_failslab+0x124/0x180 [ 884.895676] should_failslab+0x9/0x14 [ 884.900910] binder: undelivered TRANSACTION_ERROR: 29201 [ 884.903870] kmem_cache_alloc_trace+0x2b5/0x730 [ 884.903897] v9fs_mount+0x61/0x900 [ 884.903917] ? v9fs_drop_inode+0x150/0x150 [ 884.903932] legacy_get_tree+0x131/0x460 [ 884.903970] vfs_get_tree+0x1cb/0x5c0 [ 884.960810] do_mount+0x6f9/0x1e30 [ 884.964357] ? rcu_is_watching+0x8c/0x150 [ 884.968503] ? trace_hardirqs_on+0xbd/0x2c0 [ 884.972823] ? copy_mount_string+0x40/0x40 [ 884.977049] ? copy_mount_options+0x5f/0x380 [ 884.981447] ? kmem_cache_alloc_trace+0x324/0x730 [ 884.986316] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 884.991861] ? _copy_from_user+0xdf/0x150 [ 884.996023] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 885.001555] ? copy_mount_options+0x285/0x380 [ 885.006054] ksys_mount+0x12d/0x140 [ 885.009681] __x64_sys_mount+0xbe/0x150 [ 885.013644] do_syscall_64+0x1b9/0x820 [ 885.017552] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 885.022917] ? syscall_return_slowpath+0x5e0/0x5e0 [ 885.027868] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 885.032722] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 885.037741] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 885.042755] ? prepare_exit_to_usermode+0x291/0x3b0 [ 885.047784] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 885.052642] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 885.057837] RIP: 0033:0x457099 [ 885.061052] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 885.079950] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 885.087651] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 885.094916] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 885.102196] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 885.109452] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 07:50:30 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) r0 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000000000)='/dev/vga_arbiter\x00', 0x80, 0x0) getpeername$unix(r0, &(0x7f0000000040), &(0x7f00000000c0)=0x6e) ioctl$TIOCGPGRP(r0, 0x540f, &(0x7f0000000140)=0x0) write$P9_RGETLOCK(r0, &(0x7f0000000180)={0x37, 0x37, 0x1, {0x1, 0x6, 0xfffffffffffffffb, r1, 0x19, '{,selfsystemsecuritywlan1'}}, 0x37) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x280800, 0x0) [ 885.116719] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000009 [ 885.132885] binder: undelivered TRANSACTION_ERROR: 29201 07:50:30 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:30 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback, [0xfffffffe]}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:30 executing program 7 (fault-call:5 fault-nth:10): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 885.173546] binder: release 15650:15654 transaction 9967 out, still active [ 885.180747] binder: unexpected work type, 4, not freed [ 885.186089] binder: undelivered TRANSACTION_COMPLETE [ 885.209673] binder_alloc: 15650: binder_alloc_buf, no vma [ 885.215430] binder: 15650:15654 transaction failed 29189/-3, size 0-0 line 2970 [ 885.266821] binder: release 15650:15654 transaction 9967 in, still active [ 885.273926] binder: send failed reply for transaction 9967, target dead [ 885.443376] binder: 15665:15672 got transaction to invalid handle [ 885.449822] binder: 15665:15672 transaction failed 29201/-22, size 144115188075855872-0 line 2855 [ 885.484391] FAULT_INJECTION: forcing a failure. [ 885.484391] name failslab, interval 1, probability 0, space 0, times 0 [ 885.495722] CPU: 0 PID: 15674 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 885.504249] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 885.513607] Call Trace: [ 885.516204] dump_stack+0x1c9/0x2b4 [ 885.519853] ? dump_stack_print_info.cold.2+0x52/0x52 [ 885.525051] ? graph_lock+0x170/0x170 [ 885.528878] should_fail.cold.4+0xa/0x11 [ 885.532975] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 885.538111] ? find_held_lock+0x36/0x1c0 [ 885.542188] ? lock_downgrade+0x8f0/0x8f0 [ 885.546351] ? find_held_lock+0x36/0x1c0 [ 885.550439] ? check_same_owner+0x340/0x340 [ 885.554766] ? unwind_get_return_address+0x61/0xa0 [ 885.559717] ? rcu_note_context_switch+0x680/0x680 [ 885.564686] __should_failslab+0x124/0x180 [ 885.568927] should_failslab+0x9/0x14 [ 885.572752] __kmalloc_track_caller+0x2ae/0x720 [ 885.577427] ? save_stack+0xa9/0xd0 [ 885.581060] ? save_stack+0x43/0xd0 [ 885.584689] ? kasan_kmalloc+0xc4/0xe0 [ 885.588583] ? v9fs_mount+0x61/0x900 [ 885.592386] ? v9fs_session_init+0xdd/0x1a80 [ 885.596820] kstrdup+0x39/0x70 [ 885.600026] v9fs_session_init+0xdd/0x1a80 [ 885.604294] ? find_held_lock+0x36/0x1c0 [ 885.608383] ? v9fs_show_options+0x7e0/0x7e0 [ 885.612795] ? kmem_cache_alloc_trace+0x275/0x730 [ 885.617641] ? kasan_check_read+0x11/0x20 [ 885.621792] ? rcu_is_watching+0x8c/0x150 [ 885.625941] ? trace_hardirqs_on+0xbd/0x2c0 [ 885.630271] ? rcu_pm_notify+0xc0/0xc0 [ 885.634171] ? v9fs_mount+0x61/0x900 [ 885.637896] ? rcu_read_lock_sched_held+0x108/0x120 [ 885.642926] ? kmem_cache_alloc_trace+0x324/0x730 [ 885.647782] v9fs_mount+0x7c/0x900 [ 885.651331] ? v9fs_drop_inode+0x150/0x150 [ 885.655574] legacy_get_tree+0x131/0x460 [ 885.659647] vfs_get_tree+0x1cb/0x5c0 [ 885.663459] do_mount+0x6f9/0x1e30 [ 885.667001] ? rcu_is_watching+0x8c/0x150 [ 885.671162] ? trace_hardirqs_on+0xbd/0x2c0 [ 885.675490] ? copy_mount_string+0x40/0x40 [ 885.679727] ? copy_mount_options+0x5f/0x380 [ 885.684140] ? kmem_cache_alloc_trace+0x324/0x730 [ 885.688996] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 885.694554] ? _copy_from_user+0xdf/0x150 [ 885.698706] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 885.704289] ? copy_mount_options+0x285/0x380 [ 885.708788] ksys_mount+0x12d/0x140 [ 885.712418] __x64_sys_mount+0xbe/0x150 [ 885.716408] do_syscall_64+0x1b9/0x820 [ 885.720295] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 885.725661] ? syscall_return_slowpath+0x5e0/0x5e0 [ 885.730589] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 885.735604] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 885.740627] ? recalc_sigpending_tsk+0x180/0x180 [ 885.745385] ? kasan_check_write+0x14/0x20 [ 885.749629] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 885.754487] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 885.759684] RIP: 0033:0x457099 [ 885.762890] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 885.781789] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 885.789497] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 885.796766] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 885.804030] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 885.811298] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 885.818568] R13: 00000000004d3228 R14: 00000000004c81cc R15: 000000000000000a [ 886.197111] binder_alloc: binder_alloc_mmap_handler: 15665 20001000-20004000 already mapped failed -16 [ 886.206947] binder: BINDER_SET_CONTEXT_MGR already set [ 886.214097] binder: 15665:15672 ioctl 40046207 0 returned -16 [ 886.221227] binder: 15665:15685 got transaction to invalid handle [ 886.227567] binder: 15665:15685 transaction failed 29201/-22, size 144115188075855872-0 line 2855 [ 886.237756] binder: undelivered TRANSACTION_ERROR: 29201 [ 886.243435] binder: undelivered TRANSACTION_ERROR: 29201 07:50:32 executing program 5: r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) ioctl$EXT4_IOC_MIGRATE(r0, 0x6609) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) 07:50:32 executing program 7 (fault-call:5 fault-nth:11): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:32 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963003cd99b26e2dbb600"}}) 07:50:32 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x20000000, 0x0, &(0x7f0000000080)}) 07:50:32 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x5, 0x0, 0x8, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$SG_GET_NUM_WAITING(r0, 0x227d, &(0x7f00000000c0)) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(0xffffffffffffff9c, 0x84, 0x7c, &(0x7f0000000000)={0x0, 0x4, 0x8}, &(0x7f0000000040)=0x8) setsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(0xffffffffffffffff, 0x84, 0x6, &(0x7f0000000140)={r1, @in6={{0xa, 0x4e20, 0x5, @dev={0xfe, 0x80, [], 0x16}, 0x2}}}, 0x84) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) 07:50:32 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback, [0x4]}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:32 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:32 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x300000000000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 887.375745] binder: release 15693:15700 transaction 9975 out, still active [ 887.382921] binder: unexpected work type, 4, not freed [ 887.386434] binder: BINDER_SET_CONTEXT_MGR already set [ 887.388289] binder: undelivered TRANSACTION_COMPLETE [ 887.400297] binder: 15690:15704 ioctl 40046207 0 returned -16 [ 887.411906] FAULT_INJECTION: forcing a failure. [ 887.411906] name failslab, interval 1, probability 0, space 0, times 0 [ 887.423247] CPU: 0 PID: 15699 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 887.429273] binder_alloc: 15693: binder_alloc_buf, no vma [ 887.431748] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 887.431756] Call Trace: [ 887.431781] dump_stack+0x1c9/0x2b4 [ 887.431804] ? dump_stack_print_info.cold.2+0x52/0x52 [ 887.431839] should_fail.cold.4+0xa/0x11 [ 887.437492] binder: 15693:15700 transaction failed 29189/-3, size 0-0 line 2970 [ 887.446755] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 887.446799] ? kasan_check_read+0x11/0x20 [ 887.446813] ? rcu_is_watching+0x8c/0x150 [ 887.446832] ? find_held_lock+0x36/0x1c0 [ 887.446883] ? check_same_owner+0x340/0x340 [ 887.491561] ? rcu_note_context_switch+0x680/0x680 [ 887.496513] ? __kmalloc_track_caller+0x26e/0x720 [ 887.501382] __should_failslab+0x124/0x180 [ 887.504880] binder: release 15693:15700 transaction 9975 in, still active [ 887.505625] should_failslab+0x9/0x14 [ 887.505640] kmem_cache_alloc_trace+0x2b5/0x730 [ 887.505665] v9fs_mount+0x61/0x900 [ 887.505684] ? v9fs_drop_inode+0x150/0x150 [ 887.505701] legacy_get_tree+0x131/0x460 [ 887.512668] binder: send failed reply for transaction 9975, target dead [ 887.516438] vfs_get_tree+0x1cb/0x5c0 [ 887.516457] do_mount+0x6f9/0x1e30 [ 887.516470] ? rcu_is_watching+0x8c/0x150 [ 887.516483] ? trace_hardirqs_on+0xbd/0x2c0 [ 887.516501] ? copy_mount_string+0x40/0x40 [ 887.559654] ? copy_mount_options+0x5f/0x380 [ 887.564068] ? kmem_cache_alloc_trace+0x324/0x730 [ 887.568933] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 887.574479] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 887.580039] ? copy_mount_options+0x285/0x380 [ 887.584540] ksys_mount+0x12d/0x140 [ 887.588170] __x64_sys_mount+0xbe/0x150 [ 887.592153] do_syscall_64+0x1b9/0x820 [ 887.596047] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 887.601419] ? syscall_return_slowpath+0x5e0/0x5e0 [ 887.606353] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 887.611378] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 887.616405] ? recalc_sigpending_tsk+0x180/0x180 [ 887.621169] ? kasan_check_write+0x14/0x20 [ 887.625426] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 887.630280] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 887.635478] RIP: 0033:0x457099 [ 887.638697] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 887.657620] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 887.665347] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 07:50:32 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback, [0x91ffffff]}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:32 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963008a39579fef2d2100"}}) 07:50:32 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x200000000000000, 0x0, &(0x7f0000000080)}) [ 887.672637] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 887.679908] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 887.687174] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 887.694454] R13: 00000000004d3228 R14: 00000000004c81cc R15: 000000000000000b 07:50:32 executing program 2: r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f00000001c0)='/proc/sys/net/ipv4/vs/sync_sock_size\x00', 0x2, 0x0) r1 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000240)='IPVS\x00') sendmsg$IPVS_CMD_GET_DAEMON(r0, &(0x7f0000000400)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x108000}, 0xc, &(0x7f00000003c0)={&(0x7f0000000280)={0x12c, r1, 0x0, 0x70bd29, 0x25dfdbff, {}, [@IPVS_CMD_ATTR_DAEMON={0x30, 0x3, [@IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e21}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0x3ff}, @IPVS_DAEMON_ATTR_SYNC_MAXLEN={0x8, 0x4, 0x9}]}, @IPVS_CMD_ATTR_DEST={0x3c, 0x2, [@IPVS_DEST_ATTR_ADDR={0x14, 0x1, @ipv6=@local}, @IPVS_DEST_ATTR_ADDR={0x14}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e22}, @IPVS_DEST_ATTR_FWD_METHOD={0x8}]}, @IPVS_CMD_ATTR_DEST={0xc, 0x2, [@IPVS_DEST_ATTR_INACT_CONNS={0x8, 0x8, 0x9}]}, @IPVS_CMD_ATTR_DAEMON={0x6c, 0x3, [@IPVS_DAEMON_ATTR_STATE={0x8}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x3}, @IPVS_DAEMON_ATTR_MCAST_IFN={0x14, 0x2, 'veth1_to_bridge\x00'}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x8, 0x7, 0x4e22}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0x6}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0xb0b}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x2}, @IPVS_DAEMON_ATTR_MCAST_TTL={0x8, 0x8, 0x3}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8, 0x3, 0x2}, @IPVS_DAEMON_ATTR_MCAST_GROUP6={0x14, 0x6, @loopback}]}, @IPVS_CMD_ATTR_DEST={0x1c, 0x2, [@IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x5}, @IPVS_DEST_ATTR_L_THRESH={0x8, 0x6, 0x2}, @IPVS_DEST_ATTR_PORT={0x8, 0x2, 0x4e21}]}, @IPVS_CMD_ATTR_TIMEOUT_TCP={0x8, 0x4, 0x5}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x61}, @IPVS_CMD_ATTR_TIMEOUT_TCP_FIN={0x8, 0x5, 0x4}]}, 0x12c}, 0x1, 0x0, 0x0, 0x8000}, 0x20000000) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) r2 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x5, 0x12, &(0x7f0000000980)=""/230) r3 = fcntl$getown(r0, 0x9) perf_event_open(&(0x7f0000000880)={0x0, 0x70, 0x8, 0x5, 0x80, 0x1c00000000000000, 0x0, 0x528, 0x24a83, 0x6, 0xdfd, 0xfffffffffffffffc, 0x7, 0x359, 0x8, 0xffffffffffffee18, 0x3, 0x7, 0xfffffffffffffffa, 0x2, 0x7, 0xe2, 0x2, 0x8, 0x0, 0x8001, 0x4, 0xe32, 0x4, 0x7, 0x6, 0x7, 0xb98c, 0x0, 0x6, 0xdd, 0x200, 0x1f, 0x0, 0x3, 0x2, @perf_bp={&(0x7f0000000680)}, 0x1409, 0xec, 0xffffffffffffffe1, 0x7, 0x683, 0x2, 0x1}, r3, 0xf, r2, 0xb) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) r4 = syz_open_dev$amidi(&(0x7f0000000140)='/dev/amidi#\x00', 0x5, 0x80) ioctl$SNDRV_RAWMIDI_IOCTL_STATUS(r4, 0xc0385720, &(0x7f0000000180)={0x0, {0x77359400}, 0x3, 0x8}) r5 = syz_genetlink_get_family_id$team(&(0x7f0000000500)='team\x00') getsockopt$inet6_IPV6_IPSEC_POLICY(r4, 0x29, 0x22, &(0x7f0000000540)={{{@in6=@loopback, @in6=@local, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@loopback}, 0x0, @in6=@remote}}, &(0x7f0000000640)=0xe8) getsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f00000006c0)={{{@in=@broadcast, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@local}, 0x0, @in=@multicast1}}, &(0x7f00000007c0)=0xe8) getsockopt$inet_pktinfo(r4, 0x0, 0x8, &(0x7f0000000800)={0x0, @dev, @multicast1}, &(0x7f0000000840)=0xc) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000001ec0)={{{@in=@dev, @in=@loopback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@rand_addr}, 0x0, @in6=@mcast2}}, &(0x7f0000001fc0)=0xe8) getsockopt$inet_IP_IPSEC_POLICY(r0, 0x0, 0x10, &(0x7f0000002000)={{{@in6, @in, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@dev}, 0x0, @in=@multicast2}}, &(0x7f0000002100)=0xe8) getsockname$packet(r0, &(0x7f0000002180)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @local}, &(0x7f00000021c0)=0x14) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000002200)={'team0\x00', 0x0}) ioctl$ifreq_SIOCGIFINDEX_team(r4, 0x8933, &(0x7f0000002480)={'team0\x00', 0x0}) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000024c0)={'irlan0\x00', 0x0}) getsockopt$inet6_IPV6_XFRM_POLICY(r4, 0x29, 0x23, &(0x7f0000002500)={{{@in6, @in6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@broadcast}}}, &(0x7f0000002600)=0xe8) accept4$packet(r0, &(0x7f0000002640)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @link_local}, &(0x7f0000002680)=0x14, 0x80800) getpeername$packet(r0, &(0x7f00000026c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @random}, &(0x7f0000002700)=0x14) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000004100)={'eql\x00', 0x0}) getsockopt$inet_mreqn(r0, 0x0, 0x20, &(0x7f0000004140)={@loopback, @loopback, 0x0}, &(0x7f0000004180)=0xc) sendmsg$TEAM_CMD_PORT_LIST_GET(r0, &(0x7f00000046c0)={&(0x7f0000000440)={0x10, 0x0, 0x0, 0x100}, 0xc, &(0x7f0000004680)={&(0x7f0000000a80)=ANY=[@ANYBLOB="c9c8d98fbea6617edf844d7a4d0de40e8878c3ef4617b66047aad14c3f07ff718cab81b52714c7b96295d0a01ba9a7b4690edcf49491271820dd9edd326071734c96", @ANYRES16=r5, @ANYBLOB="01002dbd7000fbdbdf250300000008000100", @ANYRES32=r6, @ANYBLOB="44000200400001002400010071756575655f69640000000000000000000000000000000000000000000000000800030003000000080004000000000008000600", @ANYRES32=r7, @ANYBLOB="08000100", @ANYRES32=r8, @ANYBLOB="fc00020040000100240001007072696f72697479000000000000000000000000000000000000000000000000080003000e000000080004002800000008000600", @ANYRES32=r9, @ANYBLOB="3800010024000100616374697665706f727400000000000000000000000000000000000000000000080003000300000008000400", @ANYRES32=r10, @ANYBLOB="400001002400010071756575655f69640000000000000000000000000000000000000000000000000800030003000000080004008dac000008000600", @ANYRES32=r11, @ANYBLOB="40000100240001007072696f72697479000000000000000000000000000000000000000000000000080003000e00000008000400e500000008000600", @ANYRES32=r12, @ANYBLOB="08000100", @ANYRES32=r13, @ANYBLOB="7400020038000100240001006d636173745f72656a6f696e5f696e74657276616c0000000000000000000000080003000300000008000400e20c000038000100240001006c625f73746174735f726566726573685f696e74657276616c00000000000000080003000300000008000400ff03000008000100", @ANYRES32=r14, @ANYBLOB="4400020040000100240001006c625f686173685f737461747300000000000000000000000000000000000000080003000b0000000800040000000000080007000000000008000100", @ANYRES32=r15, @ANYBLOB="5402020040000100240001006c625f74785f686173685f746f5f706f72745f6d617070696e67000000000000080003000300000008000400", @ANYRES32=r16, @ANYBLOB="0800070000000000400001002400010071756575655f69640000000000000000000000000000000000000000000000000800030003000000080004000200000008000600", @ANYRES32=r17, @ANYBLOB="40000100240001006c625f686173685f737461747300000000000000000000000000000000000000080003000b00000008000400ff7f000008000700000000003c00010024000100757365725f6c696e6b75705f656e61626c65640000000000000000000000000008000300060000000400040008000600", @ANYRES32=r18, @ANYBLOB="54000100240001006270665f686173685f66756e6300000000000000000000000000000000000000080003000b0000002400040001004bc102000000000108a159f2ffff080009080800000000000005020000003c000100240001006d6f64650000000000000000000000000000000000000000000000000000000008000300050000000c00040072616e646f6d000040000100240001006d6f646500000000000000000000000000000000000000000000000000000000080003000500000010000400726f756e64726f62696e000038000100240001006e6f746966795f70656572735f696e74657276616c0000000000000000000000080003000300000008000400040000004c000100240001006c625f74785f6d6574686f64000000000000000000000000000000000000000008000300050000001c000400686173685f746f5f706f72745f6d617070696e670000000008000100", @ANYRES32=r19, @ANYBLOB="04000200"], 0x494}, 0x1, 0x0, 0x0, 0x40000}, 0x880) r20 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) ioctl$sock_SIOCGPGRP(r20, 0x8904, &(0x7f00000000c0)=0x0) perf_event_open(&(0x7f0000000040)={0x4, 0x70, 0x89, 0x7, 0x80000001, 0x4, 0x0, 0x80000001, 0x0, 0x8, 0x400, 0x20, 0x3f, 0x3ff, 0x401, 0x5, 0x3, 0x1, 0x9d, 0x0, 0x5, 0x6e, 0x400, 0x8, 0x8, 0x6, 0x8001, 0x4, 0x6, 0x2, 0x7fff, 0x9, 0x3f, 0x67, 0x0, 0x800, 0x80000001, 0x6, 0x0, 0x8, 0x0, @perf_bp={&(0x7f0000000000), 0x2}, 0x2802, 0x2, 0xc1f2, 0x7, 0x4, 0x10000, 0x3cfe}, r21, 0xa, r20, 0x1) [ 887.726107] binder: 15690:15713 got transaction to invalid handle [ 887.732462] binder: 15690:15713 transaction failed 29201/-22, size 216172782113783808-0 line 2855 07:50:32 executing program 7 (fault-call:5 fault-nth:12): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:32 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 888.010359] binder: release 15722:15728 transaction 9981 out, still active [ 888.017516] binder: unexpected work type, 4, not freed [ 888.022890] binder: undelivered TRANSACTION_COMPLETE [ 888.094916] FAULT_INJECTION: forcing a failure. [ 888.094916] name failslab, interval 1, probability 0, space 0, times 0 [ 888.106314] CPU: 1 PID: 15733 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 888.114814] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 888.124172] Call Trace: [ 888.126777] dump_stack+0x1c9/0x2b4 [ 888.130425] ? dump_stack_print_info.cold.2+0x52/0x52 [ 888.135645] ? graph_lock+0x170/0x170 [ 888.139463] ? __lock_acquire+0x7fc/0x5020 [ 888.143762] should_fail.cold.4+0xa/0x11 [ 888.147851] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 888.148804] binder_alloc: 15722: binder_alloc_buf, no vma [ 888.152973] ? find_held_lock+0x36/0x1c0 [ 888.153001] ? lock_downgrade+0x8f0/0x8f0 [ 888.153025] ? find_held_lock+0x36/0x1c0 [ 888.153070] ? check_same_owner+0x340/0x340 [ 888.175167] ? rcu_note_context_switch+0x680/0x680 [ 888.180127] __should_failslab+0x124/0x180 [ 888.184391] should_failslab+0x9/0x14 [ 888.188216] kmem_cache_alloc_trace+0x2b5/0x730 [ 888.192895] ? save_stack+0xa9/0xd0 [ 888.196538] ? save_stack+0x43/0xd0 [ 888.200179] ? kasan_kmalloc+0xc4/0xe0 [ 888.204083] ? __kmalloc_track_caller+0x14a/0x720 [ 888.208959] ? kstrdup+0x39/0x70 [ 888.212346] ? v9fs_session_init+0x115/0x1a80 [ 888.216924] p9_client_create+0x11b/0x1702 [ 888.221223] ? p9_client_read+0xae0/0xae0 [ 888.225393] ? __kmalloc_track_caller+0x26e/0x720 [ 888.230254] ? __lockdep_init_map+0x105/0x590 [ 888.234767] ? lockdep_init_map+0x9/0x10 [ 888.238840] ? kasan_check_write+0x14/0x20 [ 888.243086] ? __init_rwsem+0x1cc/0x2a0 [ 888.244370] binder: release 15722:15728 transaction 9981 in, still active [ 888.247074] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 888.247096] ? rcu_read_lock_sched_held+0x108/0x120 [ 888.247111] ? __kmalloc_track_caller+0x590/0x720 [ 888.247127] ? save_stack+0xa9/0xd0 [ 888.247141] ? save_stack+0x43/0xd0 [ 888.247155] ? kasan_kmalloc+0xc4/0xe0 [ 888.247180] v9fs_session_init+0x21a/0x1a80 [ 888.247197] ? v9fs_session_init+0x21a/0x1a80 [ 888.247216] ? find_held_lock+0x36/0x1c0 [ 888.254188] binder: send failed reply for transaction 9981, target dead [ 888.259170] ? v9fs_show_options+0x7e0/0x7e0 [ 888.259187] ? kmem_cache_alloc_trace+0x275/0x730 [ 888.259208] ? kasan_check_read+0x11/0x20 [ 888.313167] ? rcu_is_watching+0x8c/0x150 [ 888.317324] ? trace_hardirqs_on+0xbd/0x2c0 [ 888.321655] ? rcu_pm_notify+0xc0/0xc0 [ 888.325561] ? v9fs_mount+0x61/0x900 [ 888.329323] ? rcu_read_lock_sched_held+0x108/0x120 [ 888.334344] ? kmem_cache_alloc_trace+0x324/0x730 [ 888.339200] v9fs_mount+0x7c/0x900 [ 888.342754] ? v9fs_drop_inode+0x150/0x150 [ 888.346998] legacy_get_tree+0x131/0x460 [ 888.351073] vfs_get_tree+0x1cb/0x5c0 [ 888.354884] do_mount+0x6f9/0x1e30 [ 888.358424] ? rcu_is_watching+0x8c/0x150 [ 888.362573] ? trace_hardirqs_on+0xbd/0x2c0 [ 888.366899] ? copy_mount_string+0x40/0x40 [ 888.371142] ? copy_mount_options+0x5f/0x380 [ 888.375558] ? kmem_cache_alloc_trace+0x324/0x730 [ 888.380409] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 888.385959] ? _copy_from_user+0xdf/0x150 [ 888.390127] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 888.395668] ? copy_mount_options+0x285/0x380 [ 888.400190] ksys_mount+0x12d/0x140 [ 888.403822] __x64_sys_mount+0xbe/0x150 [ 888.407803] do_syscall_64+0x1b9/0x820 [ 888.411693] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 888.417060] ? syscall_return_slowpath+0x5e0/0x5e0 [ 888.421995] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 888.426850] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 888.431867] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 888.436888] ? prepare_exit_to_usermode+0x291/0x3b0 [ 888.441914] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 888.446772] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 888.451972] RIP: 0033:0x457099 [ 888.455195] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 888.474117] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 888.481863] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 888.489130] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 07:50:33 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x2000000000000000, 0x0, &(0x7f0000000080)}) 07:50:33 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x0, 0x6, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x18, 0xfa00, {0x2, &(0x7f0000000080)={0xffffffffffffffff}, 0x13f}}, 0x20) write$RDMA_USER_CM_CMD_JOIN_IP_MCAST(r1, &(0x7f0000000140)={0x10, 0x30, 0xfa00, {&(0x7f0000000040), 0x6, {0xa, 0x4e21, 0x9, @remote, 0x5}, r2}}, 0x38) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x8000000010400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000200)='/dev/dsp\x00', 0x8000, 0x0) [ 888.496402] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 888.503671] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 888.510940] R13: 00000000004d3228 R14: 00000000004c81cc R15: 000000000000000c [ 888.520315] binder: 15690:15750 got transaction to invalid handle [ 888.525001] binder_alloc: binder_alloc_mmap_handler: 15690 20001000-20004000 already mapped failed -16 [ 888.591259] binder: undelivered TRANSACTION_ERROR: 29201 [ 888.611446] binder: undelivered TRANSACTION_ERROR: 29201 [ 888.678127] binder: unexpected work type, 4, not freed [ 888.683519] binder: undelivered TRANSACTION_COMPLETE [ 888.721730] binder_alloc: 15752: binder_alloc_buf, no vma [ 888.815599] binder: send failed reply for transaction 9988, target dead 07:50:35 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:35 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback, [0x3000000]}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a0e0000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:35 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630000cf1fc3d9672c00"}}) 07:50:35 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x2000000, 0x0, &(0x7f0000000080)}) 07:50:35 executing program 5: r0 = syz_open_dev$mouse(&(0x7f0000000100)='/dev/input/mouse#\x00', 0x7fffffff, 0x400) ioctl$sock_inet_tcp_SIOCOUTQ(r0, 0x5411, &(0x7f0000000140)) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x1, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dsp\x00', 0x3, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) getsockopt$inet_sctp6_SCTP_AUTO_ASCONF(r0, 0x84, 0x1e, &(0x7f0000000180), &(0x7f00000001c0)=0x4) ioctl$KVM_SET_SREGS(0xffffffffffffffff, 0x4138ae84, &(0x7f0000000200)={{0x0, 0x1d000, 0xc, 0x9, 0x1, 0x8, 0x8, 0xfff, 0x8, 0x8, 0x6, 0x1f}, {0x6001, 0x13000, 0xf, 0x5, 0xfffffffffffffff7, 0xffffffffffffffe0, 0x2, 0x8, 0x3, 0x2, 0xfffffffffffffff7, 0xab}, {0x10000, 0x5000, 0xd7d11861c36273a7, 0x78, 0x5, 0x8001, 0x9, 0xffffffff, 0xffffffffffffff81, 0xdd1, 0x4, 0x2}, {0x7005, 0x1f000, 0x0, 0x2, 0x1, 0x8001, 0x7, 0x7f, 0x7a6, 0x8, 0x401, 0x3ff}, {0x2000, 0x1001, 0x0, 0x25, 0x7f, 0xfffffffffffffc00, 0x8, 0x3, 0x6, 0xff, 0x1, 0xffffffffffffffff}, {0x5001, 0x15004, 0x4, 0x6, 0xffffffff, 0x40, 0x101, 0x919, 0x9, 0x9, 0x2, 0xffff}, {0xf000, 0x1000, 0x14, 0x8, 0x47, 0x1, 0x4, 0x1, 0x3, 0x80000000, 0x81, 0x7}, {0x14004, 0x6000, 0x9, 0x9, 0x63, 0x5, 0xba, 0x8, 0x400, 0x3, 0x1f, 0x40}, {0x106004, 0x1}, {0xf002, 0x4}, 0x40001, 0x0, 0x2000, 0x4010, 0xd, 0x2100, 0xf000, [0xfff, 0xc24, 0xe6a, 0x401]}) 07:50:35 executing program 2: r0 = socket$inet_dccp(0x2, 0x6, 0x0) fstat(r0, &(0x7f0000000140)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) pselect6(0x40, &(0x7f00000001c0)={0x5, 0x8001, 0x9, 0xb2, 0xfffffffffffffeff, 0x5, 0x80, 0xd50}, &(0x7f0000000200)={0x7fffffff, 0x2, 0x40, 0x8, 0x5, 0xdb7, 0x2, 0xd83d}, &(0x7f0000000240)={0x6, 0x3, 0x6, 0x0, 0x4, 0x1, 0x1, 0x9}, &(0x7f0000000280)={0x77359400}, &(0x7f0000000300)={&(0x7f00000002c0)={0xac27}, 0x8}) r3 = fcntl$getown(r0, 0x9) ptrace$poke(0x5, r3, &(0x7f0000000340), 0x37ec) write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x20e, 0x9, 0x0, {0x0, 0x0, 0x7fffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf0e}}, 0x43) syz_genetlink_get_family_id$nbd(&(0x7f00000003c0)='nbd\x00') perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r4 = semget$private(0x0, 0x3, 0x3) semctl$SEM_STAT(r4, 0x3, 0x12, &(0x7f0000000980)=""/230) r5 = syz_open_dev$vcsn(&(0x7f0000000040)='/dev/vcs#\x00', 0xffffffffffff6435, 0x181000) ioctl$sock_SIOCETHTOOL(r5, 0x8946, &(0x7f00000000c0)={'bpq0\x00', &(0x7f0000000080)=ANY=[@ANYBLOB="479a5400070000e100080000000000001a0000000005e3000600009f"]}) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) mq_getsetattr(r5, &(0x7f0000000400)={0xe14, 0x9, 0x1f, 0x0, 0x8000, 0x5, 0x7fff, 0x3ff}, &(0x7f0000000440)) fchownat(r5, &(0x7f0000000500)='./file0\x00', r1, r2, 0x800) r6 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x2000, 0x0) ioctl$KVM_S390_UCAS_MAP(r6, 0x4018ae50, &(0x7f0000000380)={0x3ff, 0x0, 0x4}) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) 07:50:35 executing program 7 (fault-call:5 fault-nth:13): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 890.091398] binder: BINDER_SET_CONTEXT_MGR already set [ 890.098467] binder: 15774:15781 ioctl 40046207 0 returned -16 [ 890.114423] binder_alloc: 15774: binder_alloc_buf, no vma [ 890.120337] binder_transaction: 3 callbacks suppressed [ 890.120353] binder: 15773:15779 transaction failed 29189/-3, size 2047737856-0 line 2970 [ 890.138383] FAULT_INJECTION: forcing a failure. [ 890.138383] name failslab, interval 1, probability 0, space 0, times 0 [ 890.139882] binder_thread_release: 2 callbacks suppressed [ 890.139893] binder: release 15774:15781 transaction 9993 out, still active [ 890.149762] CPU: 1 PID: 15782 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 890.149772] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 890.149779] Call Trace: [ 890.149807] dump_stack+0x1c9/0x2b4 [ 890.155366] binder: unexpected work type, 4, not freed [ 890.162345] ? dump_stack_print_info.cold.2+0x52/0x52 [ 890.162365] ? is_bpf_text_address+0xd7/0x170 [ 890.162396] should_fail.cold.4+0xa/0x11 [ 890.170878] binder: undelivered TRANSACTION_COMPLETE [ 890.180219] ? __save_stack_trace+0x8d/0xf0 [ 890.180241] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 890.180265] ? save_stack+0xa9/0xd0 [ 890.198125] binder_alloc: binder_alloc_mmap_handler: 15773 20001000-20004000 already mapped failed -16 [ 890.201370] ? kasan_kmalloc+0xc4/0xe0 [ 890.201385] ? kmem_cache_alloc_trace+0x152/0x730 [ 890.201406] ? p9_client_create+0x11b/0x1702 [ 890.205892] binder: 15774:15787 got transaction to invalid handle [ 890.210578] ? v9fs_session_init+0x21a/0x1a80 [ 890.210592] ? v9fs_mount+0x7c/0x900 [ 890.210605] ? legacy_get_tree+0x131/0x460 [ 890.210620] ? vfs_get_tree+0x1cb/0x5c0 [ 890.210633] ? do_mount+0x6f9/0x1e30 [ 890.210656] ? find_held_lock+0x36/0x1c0 [ 890.214996] binder: 15774:15787 transaction failed 29201/-22, size 0-0 line 2855 [ 890.220089] ? check_same_owner+0x340/0x340 [ 890.220109] ? rcu_note_context_switch+0x680/0x680 [ 890.224177] binder: BINDER_SET_CONTEXT_MGR already set [ 890.233156] ? trace_hardirqs_on+0xbd/0x2c0 [ 890.233178] __should_failslab+0x124/0x180 [ 890.233195] should_failslab+0x9/0x14 [ 890.233213] __kmalloc_track_caller+0x2ae/0x720 [ 890.239048] binder: 15773:15789 got transaction to invalid handle [ 890.241944] ? p9_client_create+0x11b/0x1702 [ 890.241973] ? rcu_read_lock_sched_held+0x108/0x120 [ 890.241988] ? kmem_cache_alloc_trace+0x324/0x730 [ 890.242007] ? save_stack+0xa9/0xd0 [ 890.246440] binder: 15773:15789 transaction failed 29201/-22, size 2047737856-0 line 2855 [ 890.252632] ? p9_client_create+0x490/0x1702 [ 890.252651] kstrdup+0x39/0x70 [ 890.252669] p9_client_create+0x490/0x1702 [ 890.252692] ? p9_client_read+0xae0/0xae0 [ 890.258273] binder: 15773:15779 ioctl 40046207 0 returned -16 [ 890.260886] ? __kmalloc_track_caller+0x26e/0x720 [ 890.260903] ? __lockdep_init_map+0x105/0x590 [ 890.260920] ? lockdep_init_map+0x9/0x10 [ 890.260938] ? kasan_check_write+0x14/0x20 [ 890.282338] binder: release 15773:15779 transaction 9993 in, still active [ 890.284409] ? __init_rwsem+0x1cc/0x2a0 [ 890.284429] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 890.284450] ? rcu_read_lock_sched_held+0x108/0x120 [ 890.284465] ? __kmalloc_track_caller+0x590/0x720 [ 890.284484] ? save_stack+0xa9/0xd0 [ 890.288818] binder: send failed reply for transaction 9993, target dead [ 890.293715] ? save_stack+0x43/0xd0 [ 890.293736] ? kasan_kmalloc+0xc4/0xe0 [ 890.293761] v9fs_session_init+0x21a/0x1a80 [ 890.299049] binder: undelivered TRANSACTION_ERROR: 29189 [ 890.303336] ? v9fs_session_init+0x21a/0x1a80 [ 890.303353] ? find_held_lock+0x36/0x1c0 [ 890.303391] ? v9fs_show_options+0x7e0/0x7e0 [ 890.453967] ? kmem_cache_alloc_trace+0x275/0x730 [ 890.458818] ? kasan_check_read+0x11/0x20 [ 890.462973] ? rcu_is_watching+0x8c/0x150 [ 890.467124] ? trace_hardirqs_on+0xbd/0x2c0 [ 890.471447] ? rcu_pm_notify+0xc0/0xc0 [ 890.475382] ? v9fs_mount+0x61/0x900 [ 890.479102] ? rcu_read_lock_sched_held+0x108/0x120 [ 890.484120] ? kmem_cache_alloc_trace+0x324/0x730 [ 890.488983] v9fs_mount+0x7c/0x900 [ 890.492529] ? v9fs_drop_inode+0x150/0x150 [ 890.496765] legacy_get_tree+0x131/0x460 [ 890.500831] vfs_get_tree+0x1cb/0x5c0 [ 890.504633] do_mount+0x6f9/0x1e30 [ 890.508172] ? rcu_is_watching+0x8c/0x150 [ 890.512324] ? copy_mount_string+0x40/0x40 [ 890.516573] ? retint_kernel+0x10/0x10 [ 890.520466] ? copy_mount_options+0x1a1/0x380 [ 890.524973] ? copy_mount_options+0x1cc/0x380 [ 890.529475] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 890.535015] ? copy_mount_options+0x285/0x380 [ 890.539518] ksys_mount+0x12d/0x140 [ 890.543151] __x64_sys_mount+0xbe/0x150 [ 890.547150] do_syscall_64+0x1b9/0x820 [ 890.551043] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 890.556408] ? syscall_return_slowpath+0x5e0/0x5e0 [ 890.561368] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 890.566389] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 890.571414] ? recalc_sigpending_tsk+0x180/0x180 [ 890.576172] ? kasan_check_write+0x14/0x20 [ 890.580417] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 890.585269] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 890.590459] RIP: 0033:0x457099 [ 890.593653] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 890.612552] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 890.620263] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 890.627528] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 890.634808] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 07:50:35 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x740e0000, 0x0, &(0x7f0000000080)}) 07:50:35 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback, [0x240]}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:35 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 890.642078] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 890.649348] R13: 00000000004d3228 R14: 00000000004c81cc R15: 000000000000000d 07:50:35 executing program 2: semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) recvmmsg(0xffffffffffffff9c, &(0x7f0000004480)=[{{&(0x7f0000000000)=@l2, 0x80, &(0x7f0000000500)=[{&(0x7f0000000140)=""/151, 0x97}, {&(0x7f0000000a80)=""/4096, 0x1000}, {&(0x7f0000001a80)=""/4096, 0x1000}, {&(0x7f0000000200)=""/239, 0xef}, {&(0x7f0000000080)=""/57, 0x39}, {&(0x7f0000000300)=""/128, 0x80}, {&(0x7f0000000380)=""/118, 0x76}, {&(0x7f00000000c0)=""/50, 0x32}, {&(0x7f0000000400)}], 0x9, &(0x7f00000005c0)=""/121, 0x79, 0x7}, 0x20}, {{&(0x7f0000000640)=@nfc_llcp, 0x80, &(0x7f0000002e00)=[{&(0x7f00000006c0)=""/195, 0xc3}, {&(0x7f00000007c0)=""/146, 0x92}, {&(0x7f0000000880)=""/177, 0xb1}, {&(0x7f0000000440)=""/19, 0x13}, {&(0x7f0000002a80)=""/194, 0xc2}, {&(0x7f0000002b80)=""/207, 0xcf}, {&(0x7f0000002c80)=""/200, 0xc8}, {&(0x7f0000002d80)=""/83, 0x53}], 0x8, 0x0, 0x0, 0x3}, 0x7}, {{&(0x7f0000002e80)=@pppol2tpv3in6={0x18, 0x1, {0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0xa, 0x0, 0x0, @mcast1}}}, 0x80, &(0x7f0000003180)=[{&(0x7f0000002f00)=""/147, 0x93}, {&(0x7f0000002fc0)=""/173, 0xad}, {&(0x7f0000003080)=""/242, 0xf2}, {&(0x7f0000000940)}], 0x4, 0x0, 0x0, 0x7b3f586}, 0x7f}, {{&(0x7f00000031c0)=@l2, 0x80, &(0x7f0000004440)=[{&(0x7f0000003240)=""/4096, 0x1000}, {&(0x7f0000004240)=""/191, 0xbf}, {&(0x7f0000004300)=""/7, 0x7}, {&(0x7f0000004340)=""/255, 0xff}], 0x4, 0x0, 0x0, 0x3}, 0x7fff}], 0x4, 0x2, &(0x7f0000004580)={0x0, 0x989680}) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(0xffffffffffffffff, 0x84, 0xa, &(0x7f00000045c0)={0x5, 0x0, 0x4, 0x1, 0x1, 0x200, 0xffff, 0xfaea1c, 0x0}, &(0x7f0000004600)=0x20) getsockopt$inet_sctp_SCTP_DEFAULT_SEND_PARAM(r0, 0x84, 0xa, &(0x7f0000004640)={0x5, 0x2, 0x200, 0x8, 0x6, 0x8, 0x31d, 0x1, r1}, &(0x7f0000004680)=0x20) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) r2 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000940)='/dev/dsp\x00', 0xfffffffffffffffc, 0x0) ioctl$FICLONE(r0, 0x40049409, r0) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0x7) ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000400)={'vcan0\x00', 0x0}) ioctl$NBD_SET_TIMEOUT(r2, 0xab09, 0x7) bind$packet(r0, &(0x7f0000000480)={0x11, 0x17, r3, 0x1, 0x5, 0x6, @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x2}}, 0x14) 07:50:35 executing program 7 (fault-call:5 fault-nth:14): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 890.744632] binder: undelivered TRANSACTION_ERROR: 29201 07:50:35 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963006a942aa38daa9f00"}}) [ 890.854375] binder: release 15798:15803 transaction 10000 out, still active [ 890.861662] binder: unexpected work type, 4, not freed [ 890.867035] binder: undelivered TRANSACTION_COMPLETE [ 890.909653] binder: BINDER_SET_CONTEXT_MGR already set [ 890.926234] binder: 15799:15806 ioctl 40046207 0 returned -16 [ 890.954324] binder_alloc: 15798: binder_alloc_buf, no vma [ 890.960237] binder: 15798:15803 transaction failed 29189/-3, size 0-0 line 2970 [ 890.973272] FAULT_INJECTION: forcing a failure. [ 890.973272] name failslab, interval 1, probability 0, space 0, times 0 [ 890.985441] CPU: 1 PID: 15812 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 890.994428] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 891.003859] binder: 15799:15816 got transaction to invalid handle [ 891.004495] Call Trace: [ 891.004522] dump_stack+0x1c9/0x2b4 [ 891.004546] ? dump_stack_print_info.cold.2+0x52/0x52 [ 891.004571] ? __kernel_text_address+0xd/0x40 [ 891.010835] binder: 15799:15816 transaction failed 29201/-22, size 83886080-0 line 2855 [ 891.013393] ? unwind_get_return_address+0x61/0xa0 [ 891.013417] should_fail.cold.4+0xa/0x11 [ 891.013450] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 891.013473] ? save_stack+0x43/0xd0 [ 891.052525] ? kasan_kmalloc+0xc4/0xe0 [ 891.056412] ? __kmalloc_track_caller+0x14a/0x720 [ 891.061259] ? kstrdup+0x39/0x70 [ 891.064628] ? p9_client_create+0x490/0x1702 [ 891.069038] ? v9fs_session_init+0x21a/0x1a80 [ 891.073536] ? legacy_get_tree+0x131/0x460 [ 891.077781] ? vfs_get_tree+0x1cb/0x5c0 [ 891.081782] ? do_mount+0x6f9/0x1e30 [ 891.085496] ? ksys_mount+0x12d/0x140 [ 891.089302] ? __x64_sys_mount+0xbe/0x150 [ 891.093452] ? do_syscall_64+0x1b9/0x820 [ 891.097517] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 891.102891] ? find_held_lock+0x36/0x1c0 [ 891.106977] ? check_same_owner+0x340/0x340 [ 891.111314] ? trace_hardirqs_on+0xbd/0x2c0 [ 891.115639] ? rcu_note_context_switch+0x680/0x680 [ 891.120580] __should_failslab+0x124/0x180 [ 891.124824] should_failslab+0x9/0x14 [ 891.128629] __kmalloc+0x2b2/0x720 [ 891.132230] ? match_wildcard+0x3c0/0x3c0 [ 891.136387] ? match_strdup+0x5e/0xa0 [ 891.140201] match_strdup+0x5e/0xa0 [ 891.143836] p9_client_create+0x690/0x1702 [ 891.148077] ? p9_client_read+0xae0/0xae0 [ 891.152247] ? __kmalloc_track_caller+0x26e/0x720 [ 891.157095] ? __lockdep_init_map+0x105/0x590 [ 891.161600] ? lockdep_init_map+0x9/0x10 [ 891.165668] ? kasan_check_write+0x14/0x20 [ 891.169910] ? __init_rwsem+0x1cc/0x2a0 [ 891.173889] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 891.178917] ? rcu_read_lock_sched_held+0x108/0x120 [ 891.183936] ? __kmalloc_track_caller+0x590/0x720 [ 891.188783] ? save_stack+0x43/0xd0 [ 891.192413] ? kasan_kmalloc+0xc4/0xe0 [ 891.196331] v9fs_session_init+0x21a/0x1a80 [ 891.200668] ? v9fs_session_init+0x21a/0x1a80 [ 891.205167] ? find_held_lock+0x36/0x1c0 [ 891.209246] ? v9fs_show_options+0x7e0/0x7e0 [ 891.213655] ? kmem_cache_alloc_trace+0x275/0x730 [ 891.218502] ? kasan_check_read+0x11/0x20 [ 891.222676] ? rcu_is_watching+0x8c/0x150 [ 891.226824] ? trace_hardirqs_on+0xbd/0x2c0 [ 891.231146] ? rcu_pm_notify+0xc0/0xc0 [ 891.235059] ? v9fs_mount+0x61/0x900 [ 891.238778] ? rcu_read_lock_sched_held+0x108/0x120 [ 891.243794] ? kmem_cache_alloc_trace+0x324/0x730 [ 891.248645] v9fs_mount+0x7c/0x900 [ 891.252188] ? v9fs_drop_inode+0x150/0x150 [ 891.256427] legacy_get_tree+0x131/0x460 [ 891.260499] vfs_get_tree+0x1cb/0x5c0 [ 891.264316] do_mount+0x6f9/0x1e30 [ 891.267855] ? rcu_is_watching+0x8c/0x150 [ 891.272001] ? trace_hardirqs_on+0xbd/0x2c0 [ 891.276342] ? copy_mount_string+0x40/0x40 [ 891.280599] ? copy_mount_options+0x5f/0x380 [ 891.285012] ? kmem_cache_alloc_trace+0x324/0x730 [ 891.289863] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 891.295403] ? _copy_from_user+0xdf/0x150 [ 891.299558] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 891.305109] ? copy_mount_options+0x285/0x380 [ 891.309619] ksys_mount+0x12d/0x140 [ 891.313278] __x64_sys_mount+0xbe/0x150 [ 891.317260] do_syscall_64+0x1b9/0x820 [ 891.321157] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 891.326531] ? syscall_return_slowpath+0x5e0/0x5e0 [ 891.331486] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 891.336509] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 891.341530] ? recalc_sigpending_tsk+0x180/0x180 [ 891.346289] ? kasan_check_write+0x14/0x20 [ 891.350533] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 891.355396] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 891.360588] RIP: 0033:0x457099 [ 891.363793] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 891.382692] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 891.390408] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 891.397674] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 07:50:36 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$admmidi(&(0x7f0000000140)='/dev/admmidi#\x00', 0x6, 0x600) ioctl$KVM_UNREGISTER_COALESCED_MMIO(r0, 0x4010ae68, &(0x7f0000000100)={0xf000, 0x108000}) ioctl$KVM_TRANSLATE(r0, 0xc018ae85, &(0x7f0000000180)={0x1000, 0x6000, 0x6, 0xfffffffffffffa09, 0x2}) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000240)='/dev/dsp\x00', 0x1000000000800001, 0x0) ioctl$KDSKBSENT(r1, 0x4b49, &(0x7f0000000000)="4f8a886f1860a319131f2ed9decef7848b14edb5dedf9d0ec588314773d2234791c499aa520cd8591a789eb845bb0617b567cd9f05ce1cedcf971b6e243e65e4719f0215b49082d3d5befd7ab508568614f782796b44746fcdea8fe794cc67e7ce1fc24c923906c862e95557763aea02042bdcedb74cea1077ec42ad64620a50a9f03b5ab6686edd2ecb962af7500d640c38df09feb5fbfe0a967192eaa762e8998314b2aec3d2755d4e11511a1f2e33a7aec2817945f5ba1063b6f8e4b4e3c0db4b60e79cbd486d1b44bd867a0ec452c1301d1568cf272392498d722a8b66e0e122880ec1c85889") 07:50:36 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) [ 891.404943] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 891.412211] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 891.419480] R13: 00000000004d3228 R14: 00000000004c81cc R15: 000000000000000e 07:50:36 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x740e, 0x0, &(0x7f0000000080)}) [ 891.459858] binder_alloc: binder_alloc_mmap_handler: 15799 20001000-20004000 already mapped failed -16 [ 891.480994] binder: release 15798:15803 transaction 10000 in, still active [ 891.488194] binder: send failed reply for transaction 10000, target dead [ 891.499004] binder: 15799:15813 got transaction to invalid handle 07:50:36 executing program 7 (fault-call:5 fault-nth:15): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 891.505380] binder: 15799:15813 transaction failed 29201/-22, size 83886080-0 line 2855 07:50:36 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e6572696300a27f3624df99ef00"}}) 07:50:36 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) [ 891.530653] binder: undelivered TRANSACTION_ERROR: 29201 [ 891.537989] binder: undelivered TRANSACTION_ERROR: 29201 07:50:36 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback, [0xffffff91]}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 891.782930] binder: release 15831:15834 transaction 10008 out, still active [ 891.790271] binder: unexpected work type, 4, not freed [ 891.796080] binder: undelivered TRANSACTION_COMPLETE [ 891.813579] binder: BINDER_SET_CONTEXT_MGR already set [ 891.841671] binder: 15833:15836 ioctl 40046207 0 returned -16 [ 891.860566] binder: 15833:15837 got transaction to invalid handle [ 891.863408] binder_alloc: 15831: binder_alloc_buf, no vma [ 891.866904] binder: 15833:15837 transaction failed 29201/-22, size 5-0 line 2855 [ 891.880201] binder: 15831:15838 transaction failed 29189/-3, size 0-0 line 2970 [ 891.905532] binder_alloc: binder_alloc_mmap_handler: 15833 20001000-20004000 already mapped failed -16 [ 891.953447] binder: BINDER_SET_CONTEXT_MGR already set [ 891.977316] binder: 15833:15841 got transaction to invalid handle [ 891.977341] binder: 15833:15836 ioctl 40046207 0 returned -16 [ 891.983659] binder: 15833:15841 transaction failed 29201/-22, size 5-0 line 2855 [ 891.997051] binder: release 15831:15838 transaction 10008 in, still active [ 892.004242] binder: send failed reply for transaction 10008, target dead [ 892.056838] binder: undelivered TRANSACTION_ERROR: 29201 [ 892.076553] binder: undelivered TRANSACTION_ERROR: 29201 [ 892.101109] FAULT_INJECTION: forcing a failure. [ 892.101109] name failslab, interval 1, probability 0, space 0, times 0 [ 892.112473] CPU: 0 PID: 15848 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 892.120975] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 892.130329] Call Trace: [ 892.132946] dump_stack+0x1c9/0x2b4 [ 892.136597] ? dump_stack_print_info.cold.2+0x52/0x52 [ 892.141816] should_fail.cold.4+0xa/0x11 [ 892.145909] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 892.151066] ? find_held_lock+0x36/0x1c0 [ 892.155192] ? check_same_owner+0x340/0x340 [ 892.159562] ? __kernel_text_address+0xd/0x40 [ 892.164077] ? rcu_note_context_switch+0x680/0x680 [ 892.169035] __should_failslab+0x124/0x180 [ 892.173295] should_failslab+0x9/0x14 [ 892.177115] __kmalloc_track_caller+0x2ae/0x720 [ 892.181834] ? save_stack+0xa9/0xd0 [ 892.185483] ? parse_opts+0x176/0x500 [ 892.189301] kstrdup+0x39/0x70 [ 892.192515] parse_opts+0x176/0x500 [ 892.196159] ? trace_hardirqs_off+0xb8/0x2b0 [ 892.200586] ? do_raw_spin_unlock+0xa7/0x2f0 [ 892.205023] ? p9_fd_poll+0x2b0/0x2b0 [ 892.208863] ? kasan_check_write+0x14/0x20 [ 892.213143] ? trace_hardirqs_off+0xb8/0x2b0 [ 892.217573] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 892.222705] ? trace_hardirqs_on+0x2c0/0x2c0 [ 892.227128] ? kfree+0x111/0x210 [ 892.230517] ? kfree+0x111/0x210 [ 892.233906] ? lockdep_hardirqs_on+0x421/0x5c0 [ 892.238526] p9_fd_create+0x8b/0x3f0 [ 892.242264] ? p9_fd_show_options+0x1c0/0x1c0 [ 892.246778] ? p9_client_create+0xc16/0x1702 [ 892.251218] p9_client_create+0x877/0x1702 [ 892.255490] ? p9_client_read+0xae0/0xae0 [ 892.259682] ? __kmalloc_track_caller+0x26e/0x720 [ 892.264540] ? __lockdep_init_map+0x105/0x590 [ 892.269056] ? lockdep_init_map+0x9/0x10 [ 892.273141] ? kasan_check_write+0x14/0x20 [ 892.277393] ? __init_rwsem+0x1cc/0x2a0 [ 892.281389] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 892.286429] ? rcu_read_lock_sched_held+0x108/0x120 [ 892.291464] ? __kmalloc_track_caller+0x590/0x720 [ 892.296324] ? save_stack+0x43/0xd0 [ 892.299969] ? kasan_kmalloc+0xc4/0xe0 [ 892.303888] v9fs_session_init+0x21a/0x1a80 [ 892.308220] ? v9fs_session_init+0x21a/0x1a80 [ 892.312735] ? find_held_lock+0x36/0x1c0 [ 892.316820] ? v9fs_show_options+0x7e0/0x7e0 [ 892.321254] ? kmem_cache_alloc_trace+0x275/0x730 [ 892.326111] ? kasan_check_read+0x11/0x20 [ 892.330270] ? rcu_is_watching+0x8c/0x150 [ 892.334439] ? trace_hardirqs_on+0xbd/0x2c0 [ 892.338773] ? rcu_pm_notify+0xc0/0xc0 [ 892.342693] ? v9fs_mount+0x61/0x900 [ 892.346421] ? rcu_read_lock_sched_held+0x108/0x120 [ 892.351448] ? kmem_cache_alloc_trace+0x324/0x730 [ 892.356315] v9fs_mount+0x7c/0x900 [ 892.359875] ? v9fs_drop_inode+0x150/0x150 [ 892.364129] legacy_get_tree+0x131/0x460 [ 892.368241] vfs_get_tree+0x1cb/0x5c0 [ 892.372067] do_mount+0x6f9/0x1e30 [ 892.375666] ? rcu_is_watching+0x8c/0x150 [ 892.379828] ? trace_hardirqs_on+0xbd/0x2c0 [ 892.384164] ? copy_mount_string+0x40/0x40 [ 892.388413] ? copy_mount_options+0x5f/0x380 [ 892.392834] ? kmem_cache_alloc_trace+0x324/0x730 [ 892.397710] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 892.403264] ? _copy_from_user+0xdf/0x150 [ 892.407444] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 892.412996] ? copy_mount_options+0x285/0x380 [ 892.417519] ksys_mount+0x12d/0x140 [ 892.421185] __x64_sys_mount+0xbe/0x150 [ 892.425180] do_syscall_64+0x1b9/0x820 [ 892.429093] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 892.434489] ? syscall_return_slowpath+0x5e0/0x5e0 [ 892.439433] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 892.444464] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 892.449492] ? recalc_sigpending_tsk+0x180/0x180 [ 892.454269] ? kasan_check_write+0x14/0x20 [ 892.458532] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 892.463407] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 892.468605] RIP: 0033:0x457099 [ 892.471804] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 892.490710] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 892.498432] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 892.505708] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 892.512985] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 892.520261] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 892.527539] R13: 00000000004d3228 R14: 00000000004c81cc R15: 000000000000000f [ 892.535239] 9pnet: Insufficient options for proto=fd 07:50:39 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963b79b1b36ae61f7e100"}}) 07:50:39 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) getsockopt$inet_IP_XFRM_POLICY(r0, 0x0, 0x11, &(0x7f0000000000)={{{@in6=@remote, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@local}, 0x0, @in=@dev}}, &(0x7f0000000140)=0xe8) ioprio_set$uid(0x3, r1, 0x1) 07:50:39 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x300, 0x0, &(0x7f0000000080)}) 07:50:39 executing program 7 (fault-call:5 fault-nth:16): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:39 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x68000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:39 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback, [0x4002000000000000]}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) 07:50:39 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:39 executing program 5: perf_event_open(&(0x7f0000000240)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}, 0x0, 0x0, 0x0, 0x800000000, 0x0, 0x0, 0x80000}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net\x00\x00\x00\x00\x00\x00\x00\a/expire_nodest_conn\x00', 0x2, 0x0) getsockopt$IPT_SO_GET_INFO(r0, 0x0, 0x40, &(0x7f0000000100)={'nat\x00'}, &(0x7f0000000080)=0x54) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x4) r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ptmx\x00', 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x8031, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_DELAYED_SACK(r0, 0x84, 0x10, &(0x7f00000002c0)=@assoc_value={0x0, 0x543}, &(0x7f0000000300)=0x8) setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER_VALUE(r0, 0x84, 0x7c, &(0x7f0000000340)={r2, 0xb71, 0x5f53}, 0x8) ioctl$EVIOCRMFF(0xffffffffffffffff, 0x40044581, &(0x7f0000000040)) getdents64(r1, &(0x7f00000000c0)=""/11, 0xeb) r3 = socket(0x19, 0x800, 0x7) ioctl$KVM_ASSIGN_DEV_IRQ(r0, 0x4040ae70, &(0x7f0000000380)={0x0, 0x2, 0x2, 0x204}) getsockopt$inet_sctp6_SCTP_MAXSEG(r0, 0x84, 0xd, &(0x7f0000000180)=@assoc_id=0x0, &(0x7f00000001c0)=0x4) setsockopt$inet_sctp_SCTP_DEFAULT_PRINFO(r3, 0x84, 0x72, &(0x7f0000000200)={r4, 0x101, 0x20}, 0xc) [ 894.805114] binder: release 15860:15867 transaction 10015 out, still active [ 894.812439] binder: unexpected work type, 4, not freed [ 894.817838] binder: undelivered TRANSACTION_COMPLETE [ 894.831351] FAULT_INJECTION: forcing a failure. [ 894.831351] name failslab, interval 1, probability 0, space 0, times 0 [ 894.836496] binder_alloc: 15860: binder_alloc_buf, no vma [ 894.842682] CPU: 1 PID: 15869 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 894.842698] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 894.842705] Call Trace: [ 894.842743] dump_stack+0x1c9/0x2b4 [ 894.842771] ? dump_stack_print_info.cold.2+0x52/0x52 [ 894.848360] binder: 15860:15867 transaction failed 29189/-3, size 0-0 line 2970 [ 894.856800] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 894.856832] should_fail.cold.4+0xa/0x11 [ 894.856858] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 894.892612] binder: release 15860:15867 transaction 10015 in, still active [ 894.893718] ? __kernel_text_address+0xd/0x40 [ 894.893745] ? unwind_get_return_address+0x61/0xa0 [ 894.893781] ? find_held_lock+0x36/0x1c0 [ 894.893819] ? check_same_owner+0x340/0x340 [ 894.893839] ? rcu_note_context_switch+0x680/0x680 [ 894.893866] __should_failslab+0x124/0x180 [ 894.898997] binder: send failed reply for transaction 10015, target dead [ 894.905983] should_failslab+0x9/0x14 [ 894.905998] __kmalloc+0x2b2/0x720 [ 894.906012] ? rcu_pm_notify+0xc0/0xc0 [ 894.906034] ? match_number.isra.0+0xbf/0x280 [ 894.906055] match_number.isra.0+0xbf/0x280 [ 894.959806] ? match_strdup+0xa0/0xa0 [ 894.963621] ? match_wildcard+0x3c0/0x3c0 [ 894.967781] match_int+0x23/0x30 [ 894.971152] parse_opts+0x32c/0x500 [ 894.974797] ? p9_fd_poll+0x2b0/0x2b0 [ 894.978607] ? kasan_check_write+0x14/0x20 [ 894.982853] ? trace_hardirqs_off+0xb8/0x2b0 [ 894.987269] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 894.992378] ? kfree+0x111/0x210 [ 894.995753] ? kfree+0x111/0x210 [ 894.999128] ? lockdep_hardirqs_on+0x421/0x5c0 [ 895.003740] p9_fd_create+0x8b/0x3f0 [ 895.007461] ? p9_fd_show_options+0x1c0/0x1c0 [ 895.011969] ? p9_client_create+0xc16/0x1702 [ 895.016396] p9_client_create+0x877/0x1702 [ 895.020642] ? p9_client_read+0xae0/0xae0 [ 895.024807] ? __kmalloc_track_caller+0x26e/0x720 [ 895.029652] ? __lockdep_init_map+0x105/0x590 [ 895.034154] ? lockdep_init_map+0x9/0x10 [ 895.038222] ? kasan_check_write+0x14/0x20 [ 895.042461] ? __init_rwsem+0x1cc/0x2a0 [ 895.046439] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 895.051464] ? rcu_read_lock_sched_held+0x108/0x120 [ 895.056483] ? __kmalloc_track_caller+0x590/0x720 [ 895.061331] ? save_stack+0x43/0xd0 [ 895.064969] ? kasan_kmalloc+0xc4/0xe0 [ 895.068870] v9fs_session_init+0x21a/0x1a80 [ 895.073195] ? v9fs_session_init+0x21a/0x1a80 [ 895.077717] ? find_held_lock+0x36/0x1c0 [ 895.081801] ? v9fs_show_options+0x7e0/0x7e0 [ 895.086215] ? kmem_cache_alloc_trace+0x275/0x730 [ 895.091072] ? kasan_check_read+0x11/0x20 [ 895.095223] ? rcu_is_watching+0x8c/0x150 [ 895.099398] ? trace_hardirqs_on+0xbd/0x2c0 [ 895.103734] ? rcu_pm_notify+0xc0/0xc0 [ 895.107643] ? v9fs_mount+0x61/0x900 [ 895.111374] ? rcu_read_lock_sched_held+0x108/0x120 [ 895.116395] ? kmem_cache_alloc_trace+0x324/0x730 [ 895.121254] v9fs_mount+0x7c/0x900 [ 895.124801] ? v9fs_drop_inode+0x150/0x150 [ 895.129042] legacy_get_tree+0x131/0x460 [ 895.133116] vfs_get_tree+0x1cb/0x5c0 [ 895.136927] do_mount+0x6f9/0x1e30 [ 895.140475] ? rcu_is_watching+0x8c/0x150 [ 895.144629] ? copy_mount_string+0x40/0x40 [ 895.148922] ? retint_kernel+0x10/0x10 [ 895.152867] ? copy_mount_options+0x1f0/0x380 [ 895.157363] ? copy_mount_options+0x202/0x380 [ 895.161863] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 895.167400] ? copy_mount_options+0x285/0x380 [ 895.171900] ksys_mount+0x12d/0x140 [ 895.175533] __x64_sys_mount+0xbe/0x150 [ 895.179524] do_syscall_64+0x1b9/0x820 [ 895.183414] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 895.188782] ? syscall_return_slowpath+0x5e0/0x5e0 [ 895.193713] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 895.198752] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 895.203766] ? recalc_sigpending_tsk+0x180/0x180 [ 895.208525] ? kasan_check_write+0x14/0x20 [ 895.212780] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 895.217633] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 895.222844] RIP: 0033:0x457099 [ 895.226078] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 895.245008] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 07:50:40 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x500000000000000, 0x0, &(0x7f0000000080)}) 07:50:40 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) r0 = syz_open_dev$adsp(&(0x7f0000000080)='/dev/adsp#\x00', 0x7d, 0x4000) getsockopt$inet_sctp_SCTP_SOCKOPT_PEELOFF(0xffffffffffffff9c, 0x84, 0x66, &(0x7f00000000c0)={0x0, 0x550}, &(0x7f0000000140)=0x8) setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f0000000180)={r1, @in6={{0xa, 0x4e21, 0x80b, @ipv4, 0x2}}, 0x800004, 0x0, 0xcda6, 0x400000000b05, 0x8}, 0x98) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) pipe(&(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE(r2, 0x80045530, &(0x7f0000000040)=""/18) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) [ 895.252723] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 895.259998] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 895.267267] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 895.274535] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 895.281804] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000010 07:50:40 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback, [0x900000000000000]}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 895.320624] could not allocate digest TFM handle sha1-generic6a [ 895.339407] 9pnet: Insufficient options for proto=fd [ 895.356350] binder: 15866:15882 got transaction to invalid handle [ 895.362680] binder: 15866:15882 transaction failed 29201/-22, size 1744830464-0 line 2855 07:50:40 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269633d4190204d78c200"}}) 07:50:40 executing program 7 (fault-call:5 fault-nth:17): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 895.469982] binder: BINDER_SET_CONTEXT_MGR already set [ 895.499867] binder: 15887:15890 ioctl 40046207 0 returned -16 [ 895.530964] binder_alloc: binder_alloc_mmap_handler: 15866 20001000-20004000 already mapped failed -16 [ 895.542898] binder: BINDER_SET_CONTEXT_MGR already set [ 895.556749] binder: 15866:15874 ioctl 40046207 0 returned -16 [ 895.588020] binder: 15887:15896 got transaction to invalid handle [ 895.594420] binder: 15887:15896 transaction failed 29201/-22, size 0-0 line 2855 [ 895.602813] binder: 15866:15882 got transaction to invalid handle [ 895.609236] binder: 15866:15882 transaction failed 29201/-22, size 1744830464-0 line 2855 [ 895.634335] FAULT_INJECTION: forcing a failure. [ 895.634335] name failslab, interval 1, probability 0, space 0, times 0 [ 895.645734] CPU: 0 PID: 15907 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 895.653096] binder: release 15866:15874 transaction 10021 in, still active [ 895.654246] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 895.654254] Call Trace: [ 895.654279] dump_stack+0x1c9/0x2b4 [ 895.654302] ? dump_stack_print_info.cold.2+0x52/0x52 [ 895.654335] should_fail.cold.4+0xa/0x11 [ 895.654359] ? __kernel_text_address+0xd/0x40 [ 895.661381] binder: send failed reply for transaction 10021 to 15887:15896 [ 895.670706] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 895.670722] ? __save_stack_trace+0x8d/0xf0 [ 895.670754] ? save_stack+0xa9/0xd0 [ 895.673374] binder: undelivered TRANSACTION_ERROR: 29201 [ 895.676953] ? save_stack+0x43/0xd0 [ 895.676967] ? __kasan_slab_free+0x11a/0x170 [ 895.676991] ? find_held_lock+0x36/0x1c0 [ 895.728244] ? check_same_owner+0x340/0x340 [ 895.732586] ? rcu_note_context_switch+0x680/0x680 [ 895.737523] __should_failslab+0x124/0x180 [ 895.741773] should_failslab+0x9/0x14 [ 895.745575] __kmalloc+0x2b2/0x720 [ 895.749125] ? match_number.isra.0+0xbf/0x280 [ 895.753626] match_number.isra.0+0xbf/0x280 [ 895.758015] ? match_strdup+0xa0/0xa0 [ 895.761831] ? match_wildcard+0x3c0/0x3c0 [ 895.766000] match_int+0x23/0x30 [ 895.769369] parse_opts+0x32c/0x500 [ 895.773001] ? p9_fd_poll+0x2b0/0x2b0 [ 895.776805] ? kasan_check_write+0x14/0x20 [ 895.781047] ? trace_hardirqs_off+0xb8/0x2b0 [ 895.785461] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 895.790565] ? kfree+0x111/0x210 [ 895.794291] ? kfree+0x111/0x210 [ 895.797676] ? lockdep_hardirqs_on+0x421/0x5c0 [ 895.802284] p9_fd_create+0x8b/0x3f0 [ 895.806016] ? p9_fd_show_options+0x1c0/0x1c0 [ 895.810519] ? p9_client_create+0xc16/0x1702 [ 895.814935] p9_client_create+0x877/0x1702 [ 895.819191] ? p9_client_read+0xae0/0xae0 [ 895.823356] ? __kmalloc_track_caller+0x26e/0x720 [ 895.828218] ? __lockdep_init_map+0x105/0x590 [ 895.832734] ? lockdep_init_map+0x9/0x10 [ 895.836813] ? kasan_check_write+0x14/0x20 [ 895.841051] ? __init_rwsem+0x1cc/0x2a0 [ 895.845035] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 895.850060] ? rcu_read_lock_sched_held+0x108/0x120 [ 895.855075] ? __kmalloc_track_caller+0x590/0x720 [ 895.859931] ? save_stack+0x43/0xd0 [ 895.863589] ? kasan_kmalloc+0xc4/0xe0 [ 895.867486] v9fs_session_init+0x21a/0x1a80 [ 895.871814] ? v9fs_session_init+0x21a/0x1a80 [ 895.876311] ? find_held_lock+0x36/0x1c0 [ 895.880387] ? v9fs_show_options+0x7e0/0x7e0 [ 895.884800] ? kmem_cache_alloc_trace+0x275/0x730 [ 895.889645] ? kasan_check_read+0x11/0x20 [ 895.893798] ? rcu_is_watching+0x8c/0x150 [ 895.897946] ? trace_hardirqs_on+0xbd/0x2c0 [ 895.902536] ? rcu_pm_notify+0xc0/0xc0 [ 895.906435] ? v9fs_mount+0x61/0x900 [ 895.910158] ? rcu_read_lock_sched_held+0x108/0x120 [ 895.915191] ? kmem_cache_alloc_trace+0x324/0x730 [ 895.920046] v9fs_mount+0x7c/0x900 [ 895.923592] ? v9fs_drop_inode+0x150/0x150 [ 895.927843] legacy_get_tree+0x131/0x460 [ 895.931920] vfs_get_tree+0x1cb/0x5c0 [ 895.935731] do_mount+0x6f9/0x1e30 [ 895.939287] ? copy_mount_string+0x40/0x40 [ 895.943534] ? retint_kernel+0x10/0x10 [ 895.947439] ? copy_mount_options+0x213/0x380 [ 895.951949] ? __sanitizer_cov_trace_pc+0x14/0x50 [ 895.956799] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 895.962351] ? copy_mount_options+0x285/0x380 [ 895.966854] ksys_mount+0x12d/0x140 [ 895.970489] __x64_sys_mount+0xbe/0x150 [ 895.974473] do_syscall_64+0x1b9/0x820 [ 895.978368] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 895.983739] ? syscall_return_slowpath+0x5e0/0x5e0 [ 895.988676] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 895.993734] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 895.998755] ? recalc_sigpending_tsk+0x180/0x180 [ 896.003518] ? kasan_check_write+0x14/0x20 [ 896.007796] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 896.012654] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 896.017850] RIP: 0033:0x457099 [ 896.021064] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 896.039967] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 896.047681] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 07:50:41 executing program 1: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) socketpair(0x1, 0x1, 0x0, &(0x7f0000000140)={0x0, 0x0}) write$cgroup_int(r1, &(0x7f0000000980), 0xffffff4d) close(r1) recvmsg$kcm(r0, &(0x7f0000000200)={&(0x7f0000000040)=@ax25={0x3, {}}, 0x2, &(0x7f0000000000)=[{&(0x7f0000000080)=""/151, 0xffffff77}], 0x1, &(0x7f00000001c0)=""/17, 0xffda}, 0x3f00) 07:50:41 executing program 7 (fault-call:5 fault-nth:18): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) 07:50:41 executing program 4: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000300), 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3000000, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x0, 0x0, &(0x7f0000000080)}) 07:50:41 executing program 2: write$P9_RSTATFS(0xffffffffffffffff, &(0x7f0000000480)={0x14f}, 0x43) r0 = perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x4000400204) r1 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp\x00', 0x0, 0x0) fdatasync(r0) ioctl$int_out(r1, 0x5460, &(0x7f0000000000)) 07:50:41 executing program 3: r0 = perf_event_open(&(0x7f000025c000)={0x2, 0x70, 0x3e2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) close(r0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) r1 = socket$inet6(0xa, 0x1000000000002, 0x0) r2 = gettid() timer_create(0x0, &(0x7f0000044000)={0x0, 0x12, 0x0, @thr={&(0x7f0000000040), &(0x7f0000000140)}}, &(0x7f0000044000)) timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, &(0x7f0000040000)) r3 = socket$inet(0x2, 0x1, 0x0) bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e26, @local}, 0x10) connect$inet(0xffffffffffffffff, &(0x7f00009322c4)={0x2, 0x0, @local={0xac, 0x14, 0xffffffffffffffff}}, 0x10) connect$inet(r3, &(0x7f0000000080)={0x2, 0x0, @loopback, [0x9]}, 0x10) dup2(r1, r3) tkill(r2, 0x1000200000016) [ 896.054951] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 896.062237] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 896.069508] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 896.076781] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000011 [ 896.084285] 9pnet: Insufficient options for proto=fd [ 896.095737] could not allocate digest TFM handle sha1-generic=A Mx 07:50:41 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e657269630de5d0e0df30365d00"}}) 07:50:41 executing program 6: r0 = syz_open_dev$binder(&(0x7f0000000180)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000100)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, &(0x7f0000000580)}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000140)={0x4, 0x0, &(0x7f0000000080)=[@enter_looper], 0x48, 0x0, &(0x7f0000000480)="f27aec438116cefc2a394072b6ad8809e53ac6553db7f225a4e47722a00ba8846454ad779316094e4bee8cab76761555d3676404fb3c728f045f7d9ecc9b2662539500d7df7d1802"}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000040)={0x44, 0x0, &(0x7f00000003c0)=[@transaction={0x40406300, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000280), &(0x7f00000002c0)}}], 0x3000000, 0x0, &(0x7f0000000080)}) [ 896.408694] FAULT_INJECTION: forcing a failure. [ 896.408694] name failslab, interval 1, probability 0, space 0, times 0 [ 896.420090] CPU: 1 PID: 15923 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 896.428592] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 896.437967] Call Trace: [ 896.440561] dump_stack+0x1c9/0x2b4 [ 896.444200] ? dump_stack_print_info.cold.2+0x52/0x52 [ 896.449398] ? kfree+0xd9/0x210 [ 896.452689] ? parse_opts+0x3b8/0x500 [ 896.456520] ? p9_fd_create+0x8b/0x3f0 [ 896.460408] ? p9_client_create+0x877/0x1702 [ 896.464828] ? v9fs_mount+0x7c/0x900 [ 896.468553] should_fail.cold.4+0xa/0x11 [ 896.472624] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 896.477742] ? kasan_check_write+0x14/0x20 [ 896.481984] ? trace_hardirqs_off+0xb8/0x2b0 [ 896.486400] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 896.491516] ? trace_hardirqs_on+0x2c0/0x2c0 [ 896.495926] ? kfree+0x111/0x210 [ 896.499294] ? kfree+0x111/0x210 [ 896.502668] ? lockdep_hardirqs_on+0x421/0x5c0 [ 896.507258] ? find_held_lock+0x36/0x1c0 [ 896.511358] ? check_same_owner+0x340/0x340 [ 896.515682] ? p9_fd_poll+0x2b0/0x2b0 [ 896.519490] ? rcu_note_context_switch+0x680/0x680 [ 896.524423] ? kasan_check_write+0x14/0x20 [ 896.528679] __should_failslab+0x124/0x180 [ 896.532923] should_failslab+0x9/0x14 [ 896.536733] kmem_cache_alloc_trace+0x2b5/0x730 [ 896.541405] ? kfree+0x111/0x210 [ 896.544777] ? lockdep_hardirqs_on+0x421/0x5c0 [ 896.549371] p9_fd_create+0x1a7/0x3f0 [ 896.553194] ? p9_fd_show_options+0x1c0/0x1c0 [ 896.557704] ? p9_client_create+0xc16/0x1702 [ 896.562146] p9_client_create+0x877/0x1702 [ 896.566523] ? p9_client_read+0xae0/0xae0 [ 896.570983] ? __kmalloc_track_caller+0x26e/0x720 [ 896.575830] ? __lockdep_init_map+0x105/0x590 [ 896.580331] ? lockdep_init_map+0x9/0x10 [ 896.584395] ? kasan_check_write+0x14/0x20 [ 896.588648] ? __init_rwsem+0x1cc/0x2a0 [ 896.592638] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 896.597659] ? rcu_read_lock_sched_held+0x108/0x120 [ 896.602675] ? __kmalloc_track_caller+0x590/0x720 [ 896.608004] ? save_stack+0x43/0xd0 [ 896.611644] ? kasan_kmalloc+0xc4/0xe0 [ 896.615547] v9fs_session_init+0x21a/0x1a80 [ 896.619870] ? v9fs_session_init+0x21a/0x1a80 [ 896.624407] ? find_held_lock+0x36/0x1c0 [ 896.628483] ? v9fs_show_options+0x7e0/0x7e0 [ 896.632894] ? kmem_cache_alloc_trace+0x275/0x730 [ 896.637750] ? kasan_check_read+0x11/0x20 [ 896.641923] ? rcu_is_watching+0x8c/0x150 [ 896.646090] ? trace_hardirqs_on+0xbd/0x2c0 [ 896.650410] ? rcu_pm_notify+0xc0/0xc0 [ 896.654305] ? v9fs_mount+0x61/0x900 [ 896.658025] ? rcu_read_lock_sched_held+0x108/0x120 [ 896.663054] ? kmem_cache_alloc_trace+0x324/0x730 [ 896.667905] v9fs_mount+0x7c/0x900 [ 896.671453] ? v9fs_drop_inode+0x150/0x150 [ 896.675691] legacy_get_tree+0x131/0x460 [ 896.679764] vfs_get_tree+0x1cb/0x5c0 [ 896.683567] do_mount+0x6f9/0x1e30 [ 896.687105] ? rcu_is_watching+0x8c/0x150 [ 896.691249] ? trace_hardirqs_on+0xbd/0x2c0 [ 896.695587] ? copy_mount_string+0x40/0x40 [ 896.699827] ? copy_mount_options+0x5f/0x380 [ 896.704241] ? kmem_cache_alloc_trace+0x324/0x730 [ 896.709092] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 896.714629] ? _copy_from_user+0xdf/0x150 [ 896.718818] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 896.724368] ? copy_mount_options+0x285/0x380 [ 896.728865] ksys_mount+0x12d/0x140 [ 896.732505] __x64_sys_mount+0xbe/0x150 [ 896.736481] do_syscall_64+0x1b9/0x820 [ 896.740372] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 896.745745] ? syscall_return_slowpath+0x5e0/0x5e0 [ 896.750676] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 896.755702] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 896.760722] ? recalc_sigpending_tsk+0x180/0x180 [ 896.765486] ? kasan_check_write+0x14/0x20 [ 896.769725] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 896.774584] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 896.779771] RIP: 0033:0x457099 [ 896.782970] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 896.801873] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 896.809584] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 896.816870] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 896.824162] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 896.831453] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 896.838719] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000012 [ 896.865091] binder: 15918:15930 got transaction to invalid handle [ 896.871445] binder: 15918:15930 transaction failed 29201/-22, size 50331648-0 line 2855 [ 896.887681] could not allocate digest TFM handle sha1-generic 06] 07:50:41 executing program 0: r0 = add_key$keyring(&(0x7f0000000240)='keyring\x00', &(0x7f0000000080), 0x0, 0x0, 0xfffffffffffffffe) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d}, 0x0, 0x0, 0xffffffffffffffff, 0x0) add_key$keyring(&(0x7f0000000680)='keyring\x00', &(0x7f00000003c0), 0x0, 0x0, 0x0) r1 = add_key$user(&(0x7f0000000200)='user\x00', &(0x7f0000000340), &(0x7f0000000140)="19e848063e3d1b5be27f02d4d3d92f74c21ef50f7fd87471f328f1c70000000000000000", 0x24, 0xfffffffffffffffd) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f00000000c0), &(0x7f0000000100)=0xc) fstat(0xffffffffffffffff, &(0x7f0000000400)) r2 = add_key$user(&(0x7f0000000000)='user\x00', &(0x7f0000000040), &(0x7f0000000580), 0x1b8, r0) keyctl$dh_compute(0x17, &(0x7f00000001c0)={r1, r2, r1}, &(0x7f0000a53ffb)=""/5, 0x3ca, &(0x7f0000000180)={&(0x7f00000002c0)={"736861312d67656e65726963dc02f56ef30f6400"}}) 07:50:41 executing program 2: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000abe000)}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) semctl$SEM_STAT(0x0, 0x4, 0x12, &(0x7f0000000980)=""/230) ioctl$PERF_EVENT_IOC_ENABLE(0xffffffffffffffff, 0x8912, 0x400200) r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000)='/dev/dsp\x00', 0x80000, 0x0) r1 = add_key$user(&(0x7f00000001c0)='user\x00', &(0x7f0000000200)={0x73, 0x79, 0x7a, 0x1}, &(0x7f0000000240)="1856e70f3a6d1fe64ebbd8f093333dbb7e7ae515331c02a7d3679df2776a442561d519be", 0x24, 0xfffffffffffffffa) r2 = add_key(&(0x7f0000000280)='ceph\x00', &(0x7f00000002c0)={0x73, 0x79, 0x7a, 0x1}, &(0x7f0000000300)="33c90a445118985f589c7923f5e7e9345da062228889e08793a2ba5264db1696a1fbc325fc8b84b579dcfca3a17ae8c81c2979b4af663646884004d0b157f3c72c", 0x41, 0xfffffffffffffffd) keyctl$unlink(0x9, r1, r2) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000100)={0x0}, &(0x7f0000000140)=0xc) ioprio_set$pid(0x1, r3, 0x1) r4 = gettid() perf_event_open(&(0x7f0000000080)={0x1, 0x70, 0x1, 0x8, 0x20, 0x5, 0x0, 0x100000000, 0x80c84, 0x9, 0x7, 0x6, 0x5, 0xffffffffffffff54, 0x8, 0x3, 0xfff, 0xcb81, 0x5, 0x20, 0xb686, 0x54, 0x1f, 0x0, 0x6, 0x4, 0x9, 0xff, 0x81, 0x80, 0xf30, 0x2, 0x4, 0x2, 0x7, 0x5, 0x100000000, 0x4, 0x0, 0x3, 0x3, @perf_bp={&(0x7f0000000040), 0x5}, 0x21001, 0x1, 0x8, 0x7, 0x7ff, 0xffff, 0xfff}, r4, 0x0, r0, 0x8) finit_module(r0, &(0x7f0000000180)=':(\x00', 0x3) 07:50:41 executing program 7 (fault-call:5 fault-nth:19): socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000180)={0xffffffffffffffff, 0xffffffffffffffff}) add_key$keyring(&(0x7f0000000040)='keyring\x00', &(0x7f0000000400), 0x0, 0x0, 0xfffffffffffffffb) sched_setattr(0x0, &(0x7f0000000000)={0x0, 0x6}, 0x0) pipe2$9p(&(0x7f0000000100)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) mkdir(&(0x7f0000000140)='./file0\x00', 0x0) mount$9p_fd(0x0, &(0x7f0000000380)='./file0\x00', &(0x7f00000003c0)='9p\x00', 0x0, &(0x7f00000004c0)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x0, &(0x7f0000000a40)={@dev, @rand_addr}, &(0x7f0000000a80)=0xc) ioctl$PERF_EVENT_IOC_ENABLE(r0, 0x8912, 0x400200) [ 896.930886] binder: undelivered TRANSACTION_ERROR: 29201 [ 896.939032] binder: undelivered TRANSACTION_COMPLETE [ 896.944297] binder: undelivered TRANSACTION_ERROR: 29189 [ 896.980553] binder: BINDER_SET_CONTEXT_MGR already set [ 896.986941] binder: 15934:15936 ioctl 40046207 0 returned -16 [ 896.994826] binder_alloc: binder_alloc_mmap_handler: 15918 20001000-20004000 already mapped failed -16 [ 897.005287] binder: release 15934:15936 transaction 10028 out, still active [ 897.012503] binder: unexpected work type, 4, not freed [ 897.017849] binder: undelivered TRANSACTION_COMPLETE [ 897.024641] binder: BINDER_SET_CONTEXT_MGR already set [ 897.031122] binder: 15918:15938 got transaction to invalid handle [ 897.037487] binder: 15918:15938 transaction failed 29201/-22, size 50331648-0 line 2855 [ 897.047690] binder: 15918:15927 ioctl 40046207 0 returned -16 [ 897.054872] binder: release 15918:15927 transaction 10028 in, still active [ 897.062049] binder: send failed reply for transaction 10028, target dead [ 897.069031] binder: undelivered TRANSACTION_ERROR: 29201 [ 897.093388] binder: 15934:15940 got transaction to invalid handle [ 897.099771] binder: 15934:15940 transaction failed 29201/-22, size 0-0 line 2855 [ 897.153423] binder: undelivered TRANSACTION_ERROR: 29201 [ 897.187584] FAULT_INJECTION: forcing a failure. [ 897.187584] name failslab, interval 1, probability 0, space 0, times 0 [ 897.199005] CPU: 1 PID: 15950 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 897.207507] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 897.216872] Call Trace: [ 897.219491] dump_stack+0x1c9/0x2b4 [ 897.223143] ? dump_stack_print_info.cold.2+0x52/0x52 [ 897.228360] ? mark_held_locks+0x160/0x160 [ 897.232628] should_fail.cold.4+0xa/0x11 [ 897.236720] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 897.241850] ? find_held_lock+0x36/0x1c0 [ 897.245931] ? __lock_acquire+0x7fc/0x5020 [ 897.250188] ? graph_lock+0x170/0x170 [ 897.254009] ? find_held_lock+0x36/0x1c0 [ 897.258130] ? graph_lock+0x170/0x170 [ 897.261971] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 897.267093] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 897.272223] ? lockdep_hardirqs_on+0x421/0x5c0 [ 897.276850] ? check_same_owner+0x340/0x340 [ 897.281197] ? rcu_note_context_switch+0x680/0x680 [ 897.286168] __should_failslab+0x124/0x180 [ 897.290431] should_failslab+0x9/0x14 [ 897.294249] kmem_cache_alloc+0x29c/0x710 [ 897.298422] ? trace_hardirqs_on+0xbd/0x2c0 [ 897.302776] ? kasan_check_read+0x11/0x20 [ 897.306949] ? add_wait_queue+0x1b9/0x2b0 [ 897.311116] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 897.316249] p9_client_prepare_req.part.7+0xcf/0x870 [ 897.321377] ? trace_9p_protocol_dump+0x300/0x300 [ 897.326249] ? add_wait_queue+0x1b9/0x2b0 [ 897.330420] ? __wake_up_locked_key_bookmark+0x20/0x20 [ 897.335725] ? p9_pollwait+0x83/0x230 [ 897.339555] ? p9_conn_create+0x730/0x730 [ 897.343738] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 897.349301] p9_client_rpc+0x247/0x12c0 [ 897.353294] ? p9_fd_poll+0x1e0/0x2b0 [ 897.357119] ? p9_conn_create+0x55b/0x730 [ 897.361291] ? p9_client_prepare_req.part.7+0x870/0x870 [ 897.366709] ? ksys_dup3+0x690/0x690 [ 897.370451] ? kasan_check_read+0x11/0x20 [ 897.374618] ? rcu_is_watching+0x8c/0x150 [ 897.378783] ? trace_hardirqs_on+0xbd/0x2c0 [ 897.383122] ? rcu_pm_notify+0xc0/0xc0 [ 897.387048] ? rcu_read_lock_sched_held+0x108/0x120 [ 897.392080] ? kfree+0x111/0x210 [ 897.395488] ? lockdep_hardirqs_on+0x421/0x5c0 [ 897.400100] ? p9_fd_show_options+0x1c0/0x1c0 [ 897.404618] p9_client_create+0x9d6/0x1702 [ 897.408888] ? p9_client_read+0xae0/0xae0 [ 897.413114] ? hash_ipmac6_kadt+0x228/0x810 [ 897.417474] ? __kmalloc_track_caller+0x26e/0x720 [ 897.422331] ? __lockdep_init_map+0x105/0x590 [ 897.426849] ? lockdep_init_map+0x9/0x10 [ 897.430928] ? kasan_check_write+0x14/0x20 [ 897.435179] ? __init_rwsem+0x1cc/0x2a0 [ 897.439179] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 897.444214] ? rcu_read_lock_sched_held+0x108/0x120 [ 897.449245] ? __kmalloc_track_caller+0x590/0x720 [ 897.454121] ? save_stack+0x43/0xd0 [ 897.457763] ? kasan_kmalloc+0xc4/0xe0 [ 897.461679] v9fs_session_init+0x21a/0x1a80 [ 897.466029] ? v9fs_session_init+0x21a/0x1a80 [ 897.470545] ? find_held_lock+0x36/0x1c0 [ 897.474631] ? v9fs_show_options+0x7e0/0x7e0 [ 897.479060] ? kmem_cache_alloc_trace+0x275/0x730 [ 897.483922] ? kasan_check_read+0x11/0x20 [ 897.488083] ? rcu_is_watching+0x8c/0x150 [ 897.492244] ? trace_hardirqs_on+0xbd/0x2c0 [ 897.496581] ? rcu_pm_notify+0xc0/0xc0 [ 897.500494] ? v9fs_mount+0x61/0x900 [ 897.504230] ? rcu_read_lock_sched_held+0x108/0x120 [ 897.509260] ? kmem_cache_alloc_trace+0x324/0x730 [ 897.514132] v9fs_mount+0x7c/0x900 [ 897.517692] ? v9fs_drop_inode+0x150/0x150 [ 897.521948] legacy_get_tree+0x131/0x460 [ 897.526028] vfs_get_tree+0x1cb/0x5c0 [ 897.529848] do_mount+0x6f9/0x1e30 [ 897.533402] ? rcu_is_watching+0x8c/0x150 [ 897.537577] ? trace_hardirqs_on+0xbd/0x2c0 [ 897.541916] ? copy_mount_string+0x40/0x40 [ 897.546171] ? copy_mount_options+0x5f/0x380 [ 897.550594] ? kmem_cache_alloc_trace+0x324/0x730 [ 897.555455] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 897.561042] ? _copy_from_user+0xdf/0x150 [ 897.565236] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 897.570788] ? copy_mount_options+0x285/0x380 [ 897.575322] ksys_mount+0x12d/0x140 [ 897.578982] __x64_sys_mount+0xbe/0x150 [ 897.583000] do_syscall_64+0x1b9/0x820 [ 897.586916] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 897.592307] ? syscall_return_slowpath+0x5e0/0x5e0 [ 897.597276] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 897.602154] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 897.607196] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 897.612232] ? prepare_exit_to_usermode+0x291/0x3b0 [ 897.617276] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 897.622143] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 897.627343] RIP: 0033:0x457099 [ 897.630544] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 897.649444] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 897.657158] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 897.664434] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 897.671715] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 897.679021] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 897.686291] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000013 [ 897.693769] kasan: CONFIG_KASAN_INLINE enabled [ 897.698404] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 897.705819] general protection fault: 0000 [#1] SMP KASAN [ 897.711369] CPU: 1 PID: 15950 Comm: syz-executor7 Not tainted 4.19.0-rc2-next-20180904+ #55 [ 897.719877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 897.729252] RIP: 0010:p9_client_prepare_req.part.7+0x44f/0x870 [ 897.735236] Code: ff 0f 87 29 fd ff ff e8 bf 00 d4 fa 0f be 85 a4 fe ff ff 4c 89 ea 48 c1 ea 03 89 85 a4 fe ff ff 48 b8 00 00 00 00 00 fc ff df <0f> b6 14 02 4c 89 e8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 97 [ 897.754141] RSP: 0018:ffff88012968f1f0 EFLAGS: 00010203 [ 897.759514] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004492000 [ 897.766800] RDX: 000000000000000b RSI: ffffffff86a8d5b1 RDI: 0000000000000286 [ 897.774096] RBP: ffff88012968f368 R08: ffffed003b6246df R09: ffffed003b6246de [ 897.781372] R10: ffffed003b6246de R11: ffff8801db1236f3 R12: ffff8801c153e840 [ 897.788644] R13: 000000000000005e R14: 0000000000002000 R15: ffff8801c153e878 [ 897.796165] FS: 00007f7d81712700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000 [ 897.804396] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 897.810289] CR2: 000000000047c360 CR3: 00000001c3ac9000 CR4: 00000000001426e0 [ 897.817578] Call Trace: [ 897.820174] ? trace_9p_protocol_dump+0x300/0x300 [ 897.825020] ? add_wait_queue+0x1b9/0x2b0 [ 897.829172] ? __wake_up_locked_key_bookmark+0x20/0x20 [ 897.834459] ? p9_pollwait+0x83/0x230 [ 897.838260] ? p9_conn_create+0x730/0x730 [ 897.842414] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 897.847952] p9_client_rpc+0x247/0x12c0 [ 897.851930] ? p9_fd_poll+0x1e0/0x2b0 [ 897.855737] ? p9_conn_create+0x55b/0x730 [ 897.859889] ? p9_client_prepare_req.part.7+0x870/0x870 [ 897.865282] ? ksys_dup3+0x690/0x690 [ 897.868996] ? kasan_check_read+0x11/0x20 [ 897.873144] ? rcu_is_watching+0x8c/0x150 [ 897.877300] ? trace_hardirqs_on+0xbd/0x2c0 [ 897.881619] ? rcu_pm_notify+0xc0/0xc0 [ 897.885519] ? rcu_read_lock_sched_held+0x108/0x120 [ 897.890532] ? kfree+0x111/0x210 [ 897.893897] ? lockdep_hardirqs_on+0x421/0x5c0 [ 897.898487] ? p9_fd_show_options+0x1c0/0x1c0 [ 897.903458] p9_client_create+0x9d6/0x1702 [ 897.907699] ? p9_client_read+0xae0/0xae0 [ 897.911855] ? hash_ipmac6_kadt+0x228/0x810 [ 897.916182] ? __kmalloc_track_caller+0x26e/0x720 [ 897.921026] ? __lockdep_init_map+0x105/0x590 [ 897.925522] ? lockdep_init_map+0x9/0x10 [ 897.929583] ? kasan_check_write+0x14/0x20 [ 897.933818] ? __init_rwsem+0x1cc/0x2a0 [ 897.937793] ? do_raw_write_unlock.cold.8+0x49/0x49 [ 897.942920] ? rcu_read_lock_sched_held+0x108/0x120 [ 897.947944] ? __kmalloc_track_caller+0x590/0x720 [ 897.952795] ? save_stack+0x43/0xd0 [ 897.956420] ? kasan_kmalloc+0xc4/0xe0 [ 897.960316] v9fs_session_init+0x21a/0x1a80 [ 897.964638] ? v9fs_session_init+0x21a/0x1a80 [ 897.969133] ? find_held_lock+0x36/0x1c0 [ 897.973205] ? v9fs_show_options+0x7e0/0x7e0 [ 897.977617] ? kmem_cache_alloc_trace+0x275/0x730 [ 897.982464] ? kasan_check_read+0x11/0x20 [ 897.986622] ? rcu_is_watching+0x8c/0x150 [ 897.990772] ? trace_hardirqs_on+0xbd/0x2c0 [ 897.995092] ? rcu_pm_notify+0xc0/0xc0 [ 897.998994] ? v9fs_mount+0x61/0x900 [ 898.002725] ? rcu_read_lock_sched_held+0x108/0x120 [ 898.007751] ? kmem_cache_alloc_trace+0x324/0x730 [ 898.012598] v9fs_mount+0x7c/0x900 [ 898.016140] ? v9fs_drop_inode+0x150/0x150 [ 898.020379] legacy_get_tree+0x131/0x460 [ 898.024444] vfs_get_tree+0x1cb/0x5c0 [ 898.028250] do_mount+0x6f9/0x1e30 [ 898.031799] ? rcu_is_watching+0x8c/0x150 [ 898.035974] ? trace_hardirqs_on+0xbd/0x2c0 [ 898.040310] ? copy_mount_string+0x40/0x40 [ 898.044544] ? copy_mount_options+0x5f/0x380 [ 898.048963] ? kmem_cache_alloc_trace+0x324/0x730 [ 898.053838] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 898.059377] ? _copy_from_user+0xdf/0x150 [ 898.063529] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 898.069074] ? copy_mount_options+0x285/0x380 [ 898.073575] ksys_mount+0x12d/0x140 [ 898.077209] __x64_sys_mount+0xbe/0x150 [ 898.081202] do_syscall_64+0x1b9/0x820 [ 898.085094] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 898.090461] ? syscall_return_slowpath+0x5e0/0x5e0 [ 898.095390] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 898.100236] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 898.105279] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 898.110323] ? prepare_exit_to_usermode+0x291/0x3b0 [ 898.115343] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 898.120215] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 898.125403] RIP: 0033:0x457099 [ 898.128596] Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 898.147492] RSP: 002b:00007f7d81711c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 898.155210] RAX: ffffffffffffffda RBX: 00007f7d817126d4 RCX: 0000000000457099 [ 898.162504] RDX: 00000000200003c0 RSI: 0000000020000380 RDI: 0000000000000000 [ 898.169777] RBP: 00000000009300a0 R08: 00000000200004c0 R09: 0000000000000000 [ 898.177048] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 898.184323] R13: 00000000004d3228 R14: 00000000004c81cc R15: 0000000000000013 [ 898.191610] Modules linked in: [ 898.194818] Dumping ftrace buffer: [ 898.198353] (ftrace buffer empty) [ 898.202262] ---[ end trace 357cbc52e39b78df ]--- [ 898.207071] RIP: 0010:p9_client_prepare_req.part.7+0x44f/0x870 [ 898.213080] Code: ff 0f 87 29 fd ff ff e8 bf 00 d4 fa 0f be 85 a4 fe ff ff 4c 89 ea 48 c1 ea 03 89 85 a4 fe ff ff 48 b8 00 00 00 00 00 fc ff df <0f> b6 14 02 4c 89 e8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 97 [ 898.221032] could not allocate digest TFM handle sha1-genericnd [ 898.232041] RSP: 0018:ffff88012968f1f0 EFLAGS: 00010203 [ 898.232055] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004492000 [ 898.232064] RDX: 000000000000000b RSI: ffffffff86a8d5b1 RDI: 0000000000000286 [ 898.232073] RBP: ffff88012968f368 R08: ffffed003b6246df R09: ffffed003b6246de [ 898.232082] R10: ffffed003b6246de R11: ffff8801db1236f3 R12: ffff8801c153e840 [ 898.232091] R13: 000000000000005e R14: 0000000000002000 R15: ffff8801c153e878 [ 898.232103] FS: 00007f7d81712700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000 [ 898.232113] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 898.232121] CR2: 000000000047c360 CR3: 00000001c3ac9000 CR4: 00000000001426e0 [ 898.232138] Kernel panic - not syncing: Fatal exception [ 898.232467] Dumping ftrace buffer: [ 898.232473] (ftrace buffer empty) [ 898.232478] Kernel Offset: disabled [ 898.317988] Rebooting in 86400 seconds..