cks suppressed 03:50:29 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x48, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 400.311202][T20571] binder_alloc: binder_alloc_mmap_handler: 20564 20001000-20004000 already mapped failed -16 [ 400.338953][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 400.362229][T20568] binder: BINDER_SET_CONTEXT_MGR already set 03:50:29 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000ab, 0x0) 03:50:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x600000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 400.383854][T20575] binder: 20564:20575 ioctl c0306201 200002c0 returned -14 [ 400.398898][T20568] binder: 20564:20568 ioctl 40046207 0 returned -16 [ 400.417071][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 400.432701][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 400.467524][ T17] binder: send failed reply for transaction 1723 to 20564:20568 [ 400.498868][ T17] binder: undelivered TRANSACTION_COMPLETE 03:50:29 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x6c00000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:29 executing program 3: getpid() perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$LOOP_CTL_REMOVE(0xffffffffffffffff, 0x4c81, 0x0) sendmsg$TIPC_CMD_GET_NETID(0xffffffffffffffff, 0x0, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x7000)=nil, 0x7000, 0x0, 0x11, 0xffffffffffffffff, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000100)=[@textreal={0x8, 0x0}], 0x1, 0x0, 0x0, 0x0) 03:50:29 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000af, 0x0) 03:50:29 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4c, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 400.517774][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 400.556731][ T17] binder: undelivered TRANSACTION_ERROR: 29189 03:50:29 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000ac, 0x0) 03:50:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x700000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 400.611322][T20594] binder: 20593:20594 ioctl c0306201 200002c0 returned -14 [ 400.690667][T20605] binder_alloc: binder_alloc_mmap_handler: 20593 20001000-20004000 already mapped failed -16 03:50:29 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x68, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 400.739350][T20594] binder: BINDER_SET_CONTEXT_MGR already set [ 400.749197][T20594] binder: 20593:20594 ioctl 40046207 0 returned -16 [ 400.766116][T20610] binder: 20593:20610 ioctl c0306201 200002c0 returned -14 03:50:29 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000b0, 0x0) 03:50:29 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000ad, 0x0) [ 400.788374][ T12] binder: release 20593:20594 transaction 1730 out, still active [ 400.800963][ T12] binder: unexpected work type, 4, not freed 03:50:29 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7400000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x800000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 400.857645][ T12] binder: undelivered TRANSACTION_COMPLETE [ 400.882173][ T12] binder: send failed reply for transaction 1730, target dead 03:50:29 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6c, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:29 executing program 3: openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/sync_refresh_period\x00', 0x2, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) setsockopt$sock_timeval(0xffffffffffffffff, 0x1, 0x0, 0x0, 0x0) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, 0x0, 0x242, 0x0, 0x0, 0x0) ioctl$KVM_REGISTER_COALESCED_MMIO(r1, 0x4010ae67, &(0x7f0000000140)={0x0, 0x8000}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000000000/0x18000)=nil, 0x0, 0x30, 0x0, 0x0, 0xfffffffffffffee3) ioctl$KVM_NMI(r2, 0xae9a) ioctl$KVM_RUN(r2, 0xae80, 0x0) 03:50:29 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000b1, 0x0) [ 401.032436][T20634] binder: 20629:20634 ioctl c0306201 200002c0 returned -14 [ 401.039672][T20632] binder: 20631:20632 got transaction with invalid offset (0, min 0 max 0) or object. [ 401.050041][T20627] binder: 20626:20627 got transaction with invalid offset (0, min 0 max 0) or object. 03:50:29 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000ae, 0x0) [ 401.087015][T20640] binder_alloc: binder_alloc_mmap_handler: 20629 20001000-20004000 already mapped failed -16 03:50:29 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x74, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xa00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 401.166845][T20634] binder: BINDER_SET_CONTEXT_MGR already set [ 401.203225][T20639] kvm: emulating exchange as write 03:50:30 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000af, 0x0) 03:50:30 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000b2, 0x0) [ 401.243759][T20634] binder: 20629:20634 ioctl 40046207 0 returned -16 [ 401.259729][T20655] binder_alloc_new_buf_locked: 11 callbacks suppressed [ 401.259738][T20655] binder_alloc: 20629: binder_alloc_buf, no vma [ 401.280283][T20654] binder: 20629:20654 ioctl c0306201 200002c0 returned -14 [ 401.289691][ T17] binder: release 20629:20634 transaction 1738 out, still active [ 401.310228][ T17] binder: unexpected work type, 4, not freed [ 401.331234][ T17] binder: undelivered TRANSACTION_COMPLETE [ 401.345946][T20640] binder_alloc: 20629: binder_alloc_buf, no vma [ 401.359822][ T17] binder: send failed reply for transaction 1738, target dead [ 401.367396][T20656] binder_alloc: 20629: binder_alloc_buf, no vma 03:50:30 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7a, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:30 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x7a00000000000000, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:30 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000b3, 0x0) 03:50:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x2000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:30 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000b0, 0x0) [ 401.553250][T20674] binder: 20672:20674 ioctl c0306201 200002c0 returned -14 [ 401.585272][T20679] binder: 20676:20679 got transaction with invalid offset (0, min 0 max 0) or object. [ 401.605194][T20682] binder: 20675:20682 got transaction with invalid offset (0, min 0 max 0) or object. [ 401.626248][T20684] binder_alloc: binder_alloc_mmap_handler: 20672 20001000-20004000 already mapped failed -16 03:50:30 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:30 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000b4, 0x0) 03:50:30 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000b1, 0x0) [ 401.670979][T20674] binder: BINDER_SET_CONTEXT_MGR already set 03:50:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4800000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:30 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x300, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 401.725664][T20674] binder: 20672:20674 ioctl 40046207 0 returned -16 [ 401.745918][T20684] binder_alloc: 20672: binder_alloc_buf, no vma [ 401.797631][T20689] binder: 20672:20689 ioctl c0306201 200002c0 returned -14 [ 401.822804][T20694] binder_alloc: 20672: binder_alloc_buf, no vma 03:50:30 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000b5, 0x0) [ 401.842345][ T12] binder: release 20672:20674 transaction 1747 out, still active [ 401.850111][ T12] binder: unexpected work type, 4, not freed 03:50:30 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x500, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:30 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x630b, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:30 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000b2, 0x0) [ 401.894494][T20701] binder_alloc: 20672: binder_alloc_buf, no vma [ 401.900873][ T12] binder: undelivered TRANSACTION_COMPLETE [ 401.920407][ T12] binder: send failed reply for transaction 1747, target dead 03:50:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4c00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 402.038038][T20715] binder: 20713:20715 ERROR: BC_REGISTER_LOOPER called without request [ 402.050512][T20715] binder: 20713:20715 unknown command 0 [ 402.060627][T20715] binder: 20713:20715 ioctl c0306201 200002c0 returned -22 [ 402.068258][T20717] binder: 20714:20717 got transaction with invalid offset (0, min 0 max 0) or object. 03:50:30 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000b6, 0x0) [ 402.088523][T20720] binder_alloc: binder_alloc_mmap_handler: 20713 20001000-20004000 already mapped failed -16 [ 402.112721][T20715] binder: BINDER_SET_CONTEXT_MGR already set 03:50:30 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000b3, 0x0) [ 402.139650][T20715] binder: 20713:20715 ioctl 40046207 0 returned -16 [ 402.141837][T20725] binder: 20713:20725 ERROR: BC_REGISTER_LOOPER called without request [ 402.147037][T20723] binder_alloc: 20713: binder_alloc_buf, no vma [ 402.180761][T20720] binder_alloc: 20713: binder_alloc_buf, no vma [ 402.230741][ T17] binder: release 20713:20715 transaction 1756 out, still active [ 402.250460][ T17] binder: unexpected work type, 4, not freed [ 402.280575][ T17] binder: undelivered TRANSACTION_COMPLETE [ 402.288377][T20725] binder: 20713:20725 unknown command 0 [ 402.303766][ T17] binder: send failed reply for transaction 1756, target dead [ 402.341278][T20725] binder: 20713:20725 ioctl c0306201 200002c0 returned -22 03:50:31 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:31 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x600, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:31 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000b7, 0x0) 03:50:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:31 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000b4, 0x0) 03:50:31 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x630c, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6800000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 402.594465][T20743] binder: 20739:20743 got transaction with invalid offset (0, min 0 max 0) or object. [ 402.604871][T20745] binder: 20742:20745 unknown command 0 [ 402.632673][T20745] binder: 20742:20745 ioctl c0306201 200002c0 returned -22 03:50:31 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000b5, 0x0) 03:50:31 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000b8, 0x0) [ 402.728345][T20755] binder_alloc: binder_alloc_mmap_handler: 20742 20001000-20004000 already mapped failed -16 03:50:31 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x700, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:31 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000b9, 0x0) [ 402.770261][T20760] binder_alloc: 20742: binder_alloc_buf, no vma [ 402.802464][T20745] binder: BINDER_SET_CONTEXT_MGR already set 03:50:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6c00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 402.838022][T20745] binder: 20742:20745 ioctl 40046207 0 returned -16 [ 402.838259][T20765] binder: 20742:20765 unknown command 0 [ 402.887368][T20755] binder_alloc: 20742: binder_alloc_buf, no vma [ 402.915060][ T17] binder: release 20742:20745 transaction 1765 out, still active [ 402.923796][T20765] binder: 20742:20765 ioctl c0306201 200002c0 returned -22 [ 402.940901][ T17] binder: unexpected work type, 4, not freed [ 402.970111][ T17] binder: undelivered TRANSACTION_COMPLETE [ 402.995458][ T17] binder: send failed reply for transaction 1765, target dead 03:50:32 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:32 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000b6, 0x0) 03:50:32 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xa00, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:32 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x630d, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7400000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:32 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000ba, 0x0) [ 403.306799][T20793] binder: 20792:20793 unknown command 0 [ 403.340824][T20793] binder: 20792:20793 ioctl c0306201 200002c0 returned -22 03:50:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7a00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:32 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4800, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:32 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000bb, 0x0) [ 403.358808][T20797] binder_alloc: binder_alloc_mmap_handler: 20792 20001000-20004000 already mapped failed -16 03:50:32 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000b7, 0x0) [ 403.407344][T20793] binder: BINDER_SET_CONTEXT_MGR already set [ 403.444188][T20793] binder: 20792:20793 ioctl 40046207 0 returned -16 [ 403.478280][T20805] binder: 20792:20805 unknown command 0 [ 403.505106][T20805] binder: 20792:20805 ioctl c0306201 200002c0 returned -22 03:50:32 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4c00, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xfdfdffff00000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 403.526014][ T17] binder: release 20792:20793 transaction 1775 out, still active [ 403.540015][ T17] binder: unexpected work type, 4, not freed [ 403.540029][ T17] binder: undelivered TRANSACTION_COMPLETE [ 403.595474][ T17] binder: send failed reply for transaction 1775, target dead 03:50:32 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:32 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40046302, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:32 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000b8, 0x0) 03:50:32 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000bc, 0x0) 03:50:32 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6800, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:32 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000bd, 0x0) 03:50:32 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000b9, 0x0) 03:50:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 403.969763][T20840] binder: BC_ACQUIRE_RESULT not supported [ 403.978181][T20831] binder: 20830:20831 got transaction with invalid offset (0, min 0 max 0) or object. [ 404.004660][T20840] binder: 20838:20840 ioctl c0306201 200002c0 returned -22 03:50:32 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6c00, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 404.069014][T20850] binder_alloc: binder_alloc_mmap_handler: 20838 20001000-20004000 already mapped failed -16 03:50:32 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000be, 0x0) 03:50:32 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000ba, 0x0) [ 404.136845][T20840] binder: BINDER_SET_CONTEXT_MGR already set [ 404.146350][T20855] binder: BC_ACQUIRE_RESULT not supported [ 404.176368][T20855] binder: 20838:20855 ioctl c0306201 200002c0 returned -22 [ 404.200674][T20840] binder: 20838:20840 ioctl 40046207 0 returned -16 [ 404.244543][ T12] binder: release 20838:20840 transaction 1785 out, still active [ 404.260299][ T12] binder: unexpected work type, 4, not freed [ 404.322572][ T12] binder: undelivered TRANSACTION_COMPLETE [ 404.329398][ T12] binder: send failed reply for transaction 1785, target dead 03:50:33 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) 03:50:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:33 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7400, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:33 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40046304, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:33 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000bf, 0x0) 03:50:33 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000bb, 0x0) [ 404.616284][T20881] binder: 20879:20881 got transaction with invalid offset (0, min 0 max 0) or object. [ 404.627353][T20880] binder: 20878:20880 got transaction with invalid offset (0, min 0 max 0) or object. [ 404.639162][T20886] binder: 20884:20886 unknown command 0 [ 404.642022][T20881] binder_transaction: 38 callbacks suppressed [ 404.642040][T20881] binder: 20879:20881 transaction failed 29201/-22, size 0-8 line 3241 03:50:33 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000bc, 0x0) [ 404.659975][T20886] binder: 20884:20886 ioctl c0306201 200002c0 returned -22 [ 404.672189][T20880] binder: 20878:20880 transaction failed 29201/-22, size 0-8 line 3241 [ 404.683037][T20890] binder_alloc: binder_alloc_mmap_handler: 20884 20001000-20004000 already mapped failed -16 [ 404.696841][T20886] binder: BINDER_SET_CONTEXT_MGR already set 03:50:33 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000c0, 0x0) [ 404.722417][T20886] binder: 20884:20886 ioctl 40046207 0 returned -16 03:50:33 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7a00, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 404.805839][ T12] binder: release 20884:20886 transaction 1795 out, still active [ 404.814293][T20890] binder: 20884:20890 transaction failed 29189/-3, size 24-8 line 3147 [ 404.826259][ T12] binder: unexpected work type, 4, not freed [ 404.845067][T20892] binder: 20884:20892 unknown command 0 [ 404.845113][ T12] binder: undelivered TRANSACTION_COMPLETE [ 404.869895][T20892] binder: 20884:20892 ioctl c0306201 200002c0 returned -22 03:50:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 404.903286][T20904] binder: 20901:20904 transaction failed 29189/-3, size 0-8 line 3147 [ 404.918705][ T12] binder_release_work: 36 callbacks suppressed [ 404.918711][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 404.946924][ T12] binder: undelivered TRANSACTION_ERROR: 29201 03:50:33 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x1000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:33 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40046307, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 404.963614][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 404.976285][ T12] binder: send failed reply for transaction 1795, target dead [ 404.997104][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 405.018808][T20912] binder: 20910:20912 transaction failed 29189/-22, size 0-8 line 2994 [ 405.039402][T20915] binder: 20914:20915 transaction failed 29189/-22, size 0-8 line 2994 [ 405.094698][T20919] binder: 20918:20919 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 405.110882][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 405.121482][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 405.136031][T20919] binder: 20918:20919 unknown command 0 [ 405.144636][T20919] binder: 20918:20919 ioctl c0306201 200002c0 returned -22 [ 405.165288][T20922] binder_alloc: binder_alloc_mmap_handler: 20918 20001000-20004000 already mapped failed -16 [ 405.177907][T20922] binder: BINDER_SET_CONTEXT_MGR already set [ 405.190493][T20923] binder: 20918:20923 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 405.199205][T20919] binder: 20918:20919 transaction failed 29189/-3, size 24-8 line 3147 [ 405.208462][T20922] binder: 20918:20922 ioctl 40046207 0 returned -16 [ 405.215174][T20923] binder: 20918:20923 unknown command 0 [ 405.221610][T20923] binder: 20918:20923 ioctl c0306201 200002c0 returned -22 [ 405.229661][ T12] binder: release 20918:20919 transaction 1805 out, still active [ 405.241942][ T12] binder: unexpected work type, 4, not freed [ 405.247947][ T12] binder: undelivered TRANSACTION_COMPLETE [ 405.261878][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 405.268131][ T12] binder: send failed reply for transaction 1805, target dead 03:50:34 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) 03:50:34 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000c1, 0x0) 03:50:34 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000bd, 0x0) 03:50:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:34 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x2000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:34 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40086303, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 405.415171][T20930] binder: 20929:20930 BC_FREE_BUFFER u0000000000000000 no match [ 405.422171][T20933] binder: 20928:20933 got transaction with invalid offset (0, min 0 max 0) or object. [ 405.430767][T20930] binder: 20929:20930 unknown command 0 [ 405.439799][T20931] binder: 20927:20931 transaction failed 29201/-22, size 0-8 line 3241 [ 405.441808][T20930] binder: 20929:20930 ioctl c0306201 200002c0 returned -22 [ 405.455119][T20933] binder: 20928:20933 transaction failed 29201/-22, size 0-8 line 3241 03:50:34 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000c2, 0x0) [ 405.489538][T20937] binder_alloc: binder_alloc_mmap_handler: 20929 20001000-20004000 already mapped failed -16 03:50:34 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000be, 0x0) [ 405.534982][T20930] binder: BINDER_SET_CONTEXT_MGR already set [ 405.561852][T20930] binder: 20929:20930 ioctl 40046207 0 returned -16 03:50:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 405.587696][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 405.639119][T20930] binder: 20929:20930 transaction failed 29189/-3, size 24-8 line 3147 [ 405.657896][T20937] binder: 20929:20937 BC_FREE_BUFFER u0000000000000000 no match [ 405.679590][T20937] binder: 20929:20937 unknown command 0 03:50:34 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x3000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:34 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000c3, 0x0) 03:50:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 405.698725][ T17] binder: release 20929:20930 transaction 1810 out, still active [ 405.712984][T20937] binder: 20929:20937 ioctl c0306201 200002c0 returned -22 [ 405.739688][ T17] binder: unexpected work type, 4, not freed [ 405.781541][ T17] binder: undelivered TRANSACTION_COMPLETE [ 405.801041][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 405.834594][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 405.859997][ T17] binder: send failed reply for transaction 1810, target dead 03:50:34 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) 03:50:34 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000bf, 0x0) 03:50:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:34 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x4008630a, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:34 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:34 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000c4, 0x0) 03:50:34 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x5000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x48, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:34 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000c5, 0x0) 03:50:35 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000c0, 0x0) [ 406.181469][T20980] binder: BC_ATTEMPT_ACQUIRE not supported [ 406.202699][T20980] binder: 20977:20980 ioctl c0306201 200002c0 returned -22 [ 406.257247][T20989] binder_alloc: binder_alloc_mmap_handler: 20977 20001000-20004000 already mapped failed -16 [ 406.288937][T20992] binder_alloc_new_buf_locked: 16 callbacks suppressed [ 406.288946][T20992] binder_alloc: 20977: binder_alloc_buf, no vma [ 406.290498][T20980] binder: BINDER_SET_CONTEXT_MGR already set 03:50:35 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000c1, 0x0) [ 406.350048][T20998] binder: BC_ATTEMPT_ACQUIRE not supported [ 406.362248][T20980] binder: 20977:20980 ioctl 40046207 0 returned -16 [ 406.364100][T20996] binder_alloc: 20977: binder_alloc_buf, no vma [ 406.384648][T20998] binder: 20977:20998 ioctl c0306201 200002c0 returned -22 03:50:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 406.399160][ T17] binder: release 20977:20980 transaction 1822 out, still active [ 406.411623][ T17] binder: unexpected work type, 4, not freed [ 406.428398][T20989] binder_alloc: 20977: binder_alloc_buf, no vma [ 406.470652][ T17] binder: undelivered TRANSACTION_COMPLETE [ 406.498764][ T17] binder: send failed reply for transaction 1822, target dead 03:50:35 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:35 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000c6, 0x0) 03:50:35 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:35 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000c2, 0x0) 03:50:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x60, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:35 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40086310, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 406.796639][T21024] binder_transaction: 1 callbacks suppressed [ 406.796655][T21024] binder: 21018:21024 got transaction with invalid offset (0, min 0 max 0) or object. [ 406.800099][T21019] binder: 21017:21019 BC_DEAD_BINDER_DONE 0000000000000000 not found [ 406.803706][T21021] binder: 21016:21021 got transaction with invalid offset (0, min 0 max 0) or object. 03:50:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x68, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 406.851019][T21019] binder: 21017:21019 unknown command 0 [ 406.859230][T21019] binder: 21017:21019 ioctl c0306201 200002c0 returned -22 [ 406.889959][T21032] binder: 21031:21032 got transaction with invalid offset (0, min 0 max 0) or object. 03:50:35 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 406.903505][T21033] binder_alloc: binder_alloc_mmap_handler: 21017 20001000-20004000 already mapped failed -16 [ 406.917821][T21019] binder: BINDER_SET_CONTEXT_MGR already set 03:50:35 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000c3, 0x0) [ 406.954877][T21019] binder: 21017:21019 ioctl 40046207 0 returned -16 03:50:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 407.003619][T21037] binder_alloc: 21017: binder_alloc_buf, no vma [ 407.006844][ T17] binder: release 21017:21019 transaction 1831 out, still active [ 407.035150][ T17] binder: unexpected work type, 4, not freed [ 407.041578][T21033] binder_alloc: 21017: binder_alloc_buf, no vma 03:50:35 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x400c630e, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:35 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x8000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 407.076148][ T17] binder: undelivered TRANSACTION_COMPLETE [ 407.103553][ T17] binder: send failed reply for transaction 1831, target dead [ 407.226185][T21049] binder: 21048:21049 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 407.277820][T21054] binder: 21051:21054 got transaction with invalid offset (0, min 0 max 0) or object. [ 407.292172][T21049] binder: 21048:21049 unknown command 0 [ 407.298473][T21049] binder: 21048:21049 ioctl c0306201 200002c0 returned -22 [ 407.323557][T21057] binder_alloc: binder_alloc_mmap_handler: 21048 20001000-20004000 already mapped failed -16 [ 407.341493][T21049] binder: BINDER_SET_CONTEXT_MGR already set [ 407.348820][T21049] binder: 21048:21049 ioctl 40046207 0 returned -16 [ 407.361345][T21057] binder_alloc: 21048: binder_alloc_buf, no vma [ 407.369208][T21058] binder: 21048:21058 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 [ 407.383766][T21058] binder: 21048:21058 unknown command 0 [ 407.389359][T21058] binder: 21048:21058 ioctl c0306201 200002c0 returned -22 [ 407.403822][ T12] binder: release 21048:21049 transaction 1840 out, still active [ 407.411587][ T12] binder: unexpected work type, 4, not freed [ 407.436983][ T12] binder: undelivered TRANSACTION_COMPLETE [ 407.448776][ T12] binder: send failed reply for transaction 1840, target dead 03:50:36 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:36 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000c4, 0x0) 03:50:36 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000c7, 0x0) 03:50:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x74, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:36 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xa000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:36 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x400c630f, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 407.615117][T21066] binder: 21065:21066 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 [ 407.626236][T21070] binder: 21063:21070 got transaction with invalid offset (0, min 0 max 0) or object. 03:50:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:36 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000c5, 0x0) [ 407.656925][T21066] binder: 21065:21066 unknown command 0 [ 407.677149][T21066] binder: 21065:21066 ioctl c0306201 200002c0 returned -22 03:50:36 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000c8, 0x0) [ 407.714981][T21075] binder_alloc: binder_alloc_mmap_handler: 21065 20001000-20004000 already mapped failed -16 03:50:36 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x48000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 407.761155][T21078] binder_alloc: 21065: binder_alloc_buf, no vma [ 407.784804][T21066] binder: BINDER_SET_CONTEXT_MGR already set [ 407.791135][T21066] binder: 21065:21066 ioctl 40046207 0 returned -16 [ 407.807697][T21075] binder_alloc: 21065: binder_alloc_buf, no vma 03:50:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x300, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 407.837473][T21083] binder: 21065:21083 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 [ 407.874140][ T12] binder: release 21065:21066 transaction 1847 out, still active [ 407.882837][T21090] binder_alloc: 21065: binder_alloc_buf, no vma [ 407.893013][T21083] binder: 21065:21083 unknown command 0 [ 407.902497][ T12] binder: unexpected work type, 4, not freed [ 407.919442][T21092] binder_alloc: 21065: binder_alloc_buf, no vma [ 407.923412][T21083] binder: 21065:21083 ioctl c0306201 200002c0 returned -22 03:50:36 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000c6, 0x0) [ 407.936714][ T12] binder: undelivered TRANSACTION_COMPLETE [ 407.950118][ T12] binder: send failed reply for transaction 1847, target dead 03:50:37 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:37 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4c000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:37 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000c9, 0x0) 03:50:37 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40106308, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x500, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:37 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000c7, 0x0) 03:50:37 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000ca, 0x0) 03:50:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x600, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 408.335070][T21116] binder: 21108:21116 BC_INCREFS_DONE node 1858 has no pending increfs request [ 408.349967][T21115] binder: 21111:21115 got transaction with invalid offset (0, min 0 max 0) or object. [ 408.351290][T21116] binder: 21108:21116 unknown command 0 03:50:37 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000c8, 0x0) [ 408.402008][T21116] binder: 21108:21116 ioctl c0306201 200002c0 returned -22 [ 408.444079][T21121] binder: 21120:21121 got transaction with invalid offset (0, min 0 max 0) or object. [ 408.470219][T21124] binder_alloc: binder_alloc_mmap_handler: 21108 20001000-20004000 already mapped failed -16 03:50:37 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x68000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 408.507153][T21116] binder: BINDER_SET_CONTEXT_MGR already set [ 408.523367][T21116] binder: 21108:21116 ioctl 40046207 0 returned -16 [ 408.523451][T21130] binder: 21108:21130 BC_INCREFS_DONE u0000000000000000 no match 03:50:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x700, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:37 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000cb, 0x0) [ 408.569454][ T17] binder: release 21108:21116 transaction 1857 out, still active [ 408.589845][ T17] binder: unexpected work type, 4, not freed [ 408.636924][ T17] binder: undelivered TRANSACTION_COMPLETE [ 408.647662][T21130] binder: 21108:21130 unknown command 0 [ 408.674528][T21130] binder: 21108:21130 ioctl c0306201 200002c0 returned -22 [ 408.675861][ T17] binder: send failed reply for transaction 1857, target dead 03:50:37 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) creat(&(0x7f00000001c0)='./file0\x00', 0x0) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:37 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000c9, 0x0) 03:50:37 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6c000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:37 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40106309, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:37 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000cc, 0x0) 03:50:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xa00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:37 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x74000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x2000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 409.030882][T21159] binder: 21152:21159 BC_ACQUIRE_DONE node 1869 has no pending acquire request [ 409.065646][T21159] binder: 21152:21159 unknown command 0 03:50:37 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000cd, 0x0) 03:50:37 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000ca, 0x0) [ 409.147073][T21159] binder: 21152:21159 ioctl c0306201 200002c0 returned -22 [ 409.158656][T21168] binder: 21166:21168 got transaction with invalid offset (0, min 0 max 0) or object. [ 409.171539][T21169] binder: 21164:21169 got transaction with invalid offset (0, min 0 max 0) or object. [ 409.192446][T21172] binder_alloc: binder_alloc_mmap_handler: 21152 20001000-20004000 already mapped failed -16 [ 409.231998][T21159] binder: BINDER_SET_CONTEXT_MGR already set 03:50:38 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:38 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7a000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 409.249904][T21159] binder: 21152:21159 ioctl 40046207 0 returned -16 [ 409.252196][T21177] binder: 21152:21177 BC_ACQUIRE_DONE u0000000000000000 no match [ 409.314867][ T12] binder: send failed reply for transaction 1868 to 21152:21159 [ 409.343459][ T12] binder: undelivered TRANSACTION_COMPLETE 03:50:38 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) creat(&(0x7f00000001c0)='./file0\x00', 0x0) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:38 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000ce, 0x0) 03:50:38 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000cb, 0x0) [ 409.473385][T21177] binder: 21152:21177 unknown command 0 [ 409.512073][T21177] binder: 21152:21177 ioctl c0306201 200002c0 returned -22 03:50:38 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406300, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:38 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4c00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:38 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x100000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:38 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000cf, 0x0) 03:50:38 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000cc, 0x0) 03:50:38 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) creat(&(0x7f00000001c0)='./file0\x00', 0x0) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) [ 409.649996][T21209] binder: 21205:21209 sending u0000000000000000 node 1880, cookie mismatch 0000000000000004 != 0000000000000000 03:50:38 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:38 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x200000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 409.692117][T21209] binder_transaction: 38 callbacks suppressed [ 409.692136][T21209] binder: 21205:21209 transaction failed 29201/-22, size 24-8 line 3257 03:50:38 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000d0, 0x0) [ 409.735011][T21209] binder: 21205:21209 ioctl c0306201 200002c0 returned -14 03:50:38 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) write$cgroup_type(0xffffffffffffffff, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:38 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000cd, 0x0) [ 409.813834][T21226] binder_alloc: binder_alloc_mmap_handler: 21205 20001000-20004000 already mapped failed -16 [ 409.837987][T21224] binder: 21222:21224 transaction failed 29189/-3, size 0-8 line 3147 [ 409.852129][T21225] binder: 21221:21225 transaction failed 29189/-3, size 0-8 line 3147 [ 409.891951][T21209] binder: BINDER_SET_CONTEXT_MGR already set 03:50:38 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) write$cgroup_type(0xffffffffffffffff, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) [ 409.932612][T21209] binder: 21205:21209 ioctl 40046207 0 returned -16 [ 409.959340][ T17] binder_release_work: 39 callbacks suppressed [ 409.959349][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 409.974813][T21235] binder: 21205:21235 transaction failed 29189/-3, size 24-8 line 3147 [ 410.004120][T21226] binder: 21205:21226 transaction failed 29189/-3, size 24-8 line 3147 [ 410.018536][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 410.032121][T21235] binder: 21205:21235 ioctl c0306201 200002c0 returned -14 [ 410.071595][ T12] binder: release 21205:21209 transaction 1879 out, still active [ 410.094423][ T12] binder: unexpected work type, 4, not freed [ 410.103531][ T12] binder: undelivered TRANSACTION_COMPLETE [ 410.109796][ T12] binder: undelivered TRANSACTION_ERROR: 29201 03:50:38 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:38 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x300000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:38 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:38 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000d1, 0x0) 03:50:38 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000ce, 0x0) 03:50:38 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) write$cgroup_type(0xffffffffffffffff, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) [ 410.122179][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 410.128390][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 410.134778][ T12] binder: send failed reply for transaction 1879, target dead [ 410.191606][T21258] binder: 21253:21258 transaction failed 29189/-22, size 0-8 line 2994 [ 410.211106][T21254] binder: 21252:21254 transaction failed 29189/-22, size 0-8 line 2994 [ 410.230044][T21260] binder: 21259:21260 got reply transaction with bad transaction stack, transaction 1890 has target 21259:0 03:50:39 executing program 3: r0 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r0, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(0xffffffffffffffff, &(0x7f0000000380)=""/154, 0x9a) getdents(0xffffffffffffffff, 0x0, 0x0) 03:50:39 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000cf, 0x0) [ 410.256209][T21260] binder: 21259:21260 transaction failed 29201/-71, size 24-8 line 2914 [ 410.289292][T21260] binder: 21259:21260 ioctl c0306201 200002c0 returned -14 03:50:39 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6c00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:39 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x400000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:39 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000d2, 0x0) [ 410.324632][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 410.331639][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 410.412486][T21274] binder_alloc: binder_alloc_mmap_handler: 21259 20001000-20004000 already mapped failed -16 [ 410.420352][T21270] binder: 21268:21270 transaction failed 29189/-3, size 0-8 line 3147 [ 410.443651][T21260] binder: BINDER_SET_CONTEXT_MGR already set 03:50:39 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 410.460674][T21281] binder: 21259:21281 got reply transaction with no transaction stack [ 410.469617][T21260] binder: 21259:21260 ioctl 40046207 0 returned -16 [ 410.469872][T21277] binder: 21273:21277 transaction failed 29189/-3, size 0-8 line 3147 [ 410.482652][T21281] binder: 21259:21281 ioctl c0306201 200002c0 returned -14 [ 410.497750][ T17] binder: release 21259:21260 transaction 1890 out, still active [ 410.527516][ T17] binder: unexpected work type, 4, not freed [ 410.556352][ T17] binder: undelivered TRANSACTION_COMPLETE 03:50:39 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000d0, 0x0) 03:50:39 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:39 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000d3, 0x0) 03:50:39 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x500000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 410.595469][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 410.624816][ T17] binder: undelivered TRANSACTION_ERROR: 29189 03:50:39 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7a00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 410.666183][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 410.684310][T21293] binder: BINDER_SET_CONTEXT_MGR already set [ 410.736725][ T17] binder: send failed reply for transaction 1890, target dead [ 410.737852][T21300] binder: 21292:21300 ioctl c0306201 200002c0 returned -14 [ 410.744804][T21293] binder: 21292:21293 ioctl 40046207 0 returned -16 03:50:39 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x600000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 410.859670][T21300] binder_alloc: binder_alloc_mmap_handler: 21292 20001000-20004000 already mapped failed -16 [ 410.919534][T21300] binder: 21292:21300 got reply transaction with no transaction stack [ 410.945772][T21300] binder: 21292:21300 ioctl c0306201 200002c0 returned -14 03:50:39 executing program 3: r0 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r0, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(0xffffffffffffffff, &(0x7f0000000380)=""/154, 0x9a) getdents(0xffffffffffffffff, 0x0, 0x0) 03:50:39 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x1000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:39 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000d1, 0x0) 03:50:39 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000d4, 0x0) 03:50:39 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x2, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:39 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x700000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:39 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000d5, 0x0) 03:50:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x2000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 411.163752][T21324] binder_transaction: 4 callbacks suppressed [ 411.163762][T21324] binder: 21321:21324 got transaction to invalid handle 03:50:40 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x800000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:40 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000d2, 0x0) [ 411.283411][T21324] binder: 21321:21324 ioctl c0306201 200002c0 returned -14 [ 411.312275][T21337] binder: 21330:21337 got transaction with invalid offset (0, min 0 max 0) or object. [ 411.322311][T21339] binder_alloc: binder_alloc_mmap_handler: 21321 20001000-20004000 already mapped failed -16 03:50:40 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000d6, 0x0) [ 411.337333][T21340] binder_alloc_new_buf_locked: 11 callbacks suppressed [ 411.337342][T21340] binder_alloc: 21321: binder_alloc_buf, no vma [ 411.362075][T21324] binder: BINDER_SET_CONTEXT_MGR already set [ 411.389010][T21339] binder_alloc: 21321: binder_alloc_buf, no vma [ 411.391936][T21344] binder: 21321:21344 got transaction to invalid handle 03:50:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x3000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 411.460721][T21344] binder: 21321:21344 ioctl c0306201 200002c0 returned -14 [ 411.499262][ T12] binder: release 21321:21324 transaction 1909 out, still active [ 411.525165][T21324] binder: 21321:21324 ioctl 40046207 0 returned -16 [ 411.531739][ T12] binder: unexpected work type, 4, not freed [ 411.540272][ T12] binder: undelivered TRANSACTION_COMPLETE [ 411.558181][T21354] binder_alloc: 21321: binder_alloc_buf, no vma [ 411.562622][ T12] binder: send failed reply for transaction 1909, target dead 03:50:40 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xa00000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:40 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000d7, 0x0) 03:50:40 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000d3, 0x0) 03:50:40 executing program 3: r0 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r0, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(0xffffffffffffffff, &(0x7f0000000380)=""/154, 0x9a) getdents(0xffffffffffffffff, 0x0, 0x0) 03:50:40 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x3, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 411.840698][T21369] binder: 21368:21369 got transaction to invalid handle [ 411.871894][T21369] binder: 21368:21369 ioctl c0306201 200002c0 returned -14 03:50:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x5000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:40 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4800000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 411.882947][T21374] binder_alloc: binder_alloc_mmap_handler: 21368 20001000-20004000 already mapped failed -16 03:50:40 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000d4, 0x0) [ 411.954785][T21369] binder: BINDER_SET_CONTEXT_MGR already set [ 411.981507][T21381] binder_alloc: 21368: binder_alloc_buf, no vma [ 411.991901][T21369] binder: 21368:21369 ioctl 40046207 0 returned -16 03:50:40 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000d8, 0x0) [ 412.004299][T21379] binder_alloc: 21368: binder_alloc_buf, no vma [ 412.032329][ T17] binder: release 21368:21369 transaction 1921 out, still active [ 412.040107][ T17] binder: unexpected work type, 4, not freed [ 412.057995][T21374] binder_alloc: 21368: binder_alloc_buf, no vma [ 412.069483][ T17] binder: undelivered TRANSACTION_COMPLETE 03:50:40 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4c00000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:40 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:40 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000d5, 0x0) [ 412.112298][ T17] binder: send failed reply for transaction 1921, target dead 03:50:40 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000d9, 0x0) [ 412.289105][T21405] binder: 21403:21405 got transaction to invalid handle [ 412.311981][T21405] binder: 21403:21405 ioctl c0306201 200002c0 returned -14 [ 412.346150][T21413] binder_alloc: binder_alloc_mmap_handler: 21403 20001000-20004000 already mapped failed -16 [ 412.434314][T21405] binder: BINDER_SET_CONTEXT_MGR already set [ 412.441174][T21413] binder_alloc: 21403: binder_alloc_buf, no vma [ 412.442110][T21418] binder: 21403:21418 got transaction to invalid handle [ 412.448275][T21405] binder: 21403:21405 ioctl 40046207 0 returned -16 [ 412.460282][T21418] binder: 21403:21418 ioctl c0306201 200002c0 returned -14 [ 412.469621][ T17] binder: send failed reply for transaction 1931 to 21403:21405 [ 412.481645][ T17] binder: undelivered TRANSACTION_COMPLETE 03:50:41 executing program 3: r0 = open(0x0, 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:41 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6800000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:41 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000da, 0x0) 03:50:41 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000d6, 0x0) 03:50:41 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x5, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 412.678517][T21425] binder: 21424:21425 got transaction to invalid handle [ 412.689437][T21425] binder: 21424:21425 ioctl c0306201 200002c0 returned -14 [ 412.693777][T21430] binder: 21422:21430 got transaction with invalid offset (0, min 0 max 0) or object. [ 412.713998][T21429] binder: 21420:21429 got transaction with invalid offset (0, min 0 max 0) or object. 03:50:41 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000d7, 0x0) 03:50:41 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000db, 0x0) [ 412.730600][T21432] binder_alloc: binder_alloc_mmap_handler: 21424 20001000-20004000 already mapped failed -16 [ 412.749966][T21425] binder: BINDER_SET_CONTEXT_MGR already set 03:50:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x8000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 412.795605][T21425] binder: 21424:21425 ioctl 40046207 0 returned -16 [ 412.825122][T21432] binder_alloc: 21424: binder_alloc_buf, no vma 03:50:41 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6c00000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 412.864532][T21435] binder: 21424:21435 got transaction to invalid handle [ 412.901148][T21435] binder: 21424:21435 ioctl c0306201 200002c0 returned -14 [ 412.907897][T21441] binder_alloc: 21424: binder_alloc_buf, no vma [ 412.930360][ T12] binder: release 21424:21425 transaction 1938 out, still active [ 412.948240][ T12] binder: unexpected work type, 4, not freed 03:50:41 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000dc, 0x0) 03:50:41 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000d8, 0x0) [ 412.973188][ T12] binder: undelivered TRANSACTION_COMPLETE [ 412.999262][ T12] binder: send failed reply for transaction 1938, target dead 03:50:42 executing program 3: r0 = open(0x0, 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:42 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:42 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xa000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:42 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7400000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:42 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000d9, 0x0) 03:50:42 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000dd, 0x0) 03:50:42 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7a00000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:42 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000de, 0x0) [ 413.392546][T21473] binder: 21470:21473 got transaction with invalid offset (0, min 0 max 0) or object. [ 413.404193][T21474] binder: 21466:21474 got transaction to invalid handle [ 413.429751][T21474] binder: 21466:21474 ioctl c0306201 200002c0 returned -14 03:50:42 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000da, 0x0) 03:50:42 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x20000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 413.496779][T21481] binder_alloc: binder_alloc_mmap_handler: 21466 20001000-20004000 already mapped failed -16 [ 413.538779][T21474] binder: BINDER_SET_CONTEXT_MGR already set [ 413.577955][T21488] binder: 21466:21488 got transaction to invalid handle 03:50:42 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 413.577961][T21485] binder_alloc: 21466: binder_alloc_buf, no vma [ 413.585344][T21474] binder: 21466:21474 ioctl 40046207 0 returned -16 [ 413.615043][T21488] binder: 21466:21488 ioctl c0306201 200002c0 returned -14 03:50:42 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000df, 0x0) [ 413.659186][ T12] binder: release 21466:21474 transaction 1950 out, still active [ 413.683092][ T12] binder: unexpected work type, 4, not freed [ 413.744531][ T12] binder: undelivered TRANSACTION_COMPLETE [ 413.750582][ T12] binder: send failed reply for transaction 1950, target dead 03:50:42 executing program 3: r0 = open(0x0, 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:42 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x48000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:42 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:42 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x3, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:42 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000db, 0x0) 03:50:42 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000e0, 0x0) [ 414.074283][T21519] binder: 21515:21519 got transaction with invalid offset (0, min 0 max 0) or object. [ 414.087542][T21516] binder: 21513:21516 got transaction to invalid handle 03:50:42 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000e1, 0x0) 03:50:42 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4c000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 414.120055][T21516] binder: 21513:21516 ioctl c0306201 200002c0 returned -14 03:50:42 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:42 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000dc, 0x0) [ 414.162059][T21527] binder_alloc: binder_alloc_mmap_handler: 21513 20001000-20004000 already mapped failed -16 [ 414.202037][T21516] binder: BINDER_SET_CONTEXT_MGR already set 03:50:43 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x60000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 414.252383][T21516] binder: 21513:21516 ioctl 40046207 0 returned -16 [ 414.278549][T21527] binder: 21513:21527 ioctl c0306201 200002c0 returned -14 03:50:43 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000dd, 0x0) [ 414.299986][ T12] binder: release 21513:21516 transaction 1962 out, still active [ 414.329050][ T12] binder: unexpected work type, 4, not freed [ 414.367952][ T12] binder: undelivered TRANSACTION_COMPLETE [ 414.390954][ T12] binder: send failed reply for transaction 1962, target dead 03:50:43 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(0x0, 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:43 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000e2, 0x0) 03:50:43 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x8, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:43 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x5, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:43 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x68000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:43 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000de, 0x0) [ 414.730563][T21563] binder_transaction: 51 callbacks suppressed [ 414.730581][T21563] binder: 21558:21563 transaction failed 29201/-22, size 24-8 line 2994 [ 414.746123][T21565] binder: 21560:21565 got transaction with invalid offset (0, min 0 max 0) or object. [ 414.759733][T21567] binder: 21562:21567 got transaction with invalid offset (0, min 0 max 0) or object. 03:50:43 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000e3, 0x0) [ 414.781133][T21565] binder: 21560:21565 transaction failed 29201/-22, size 0-8 line 3241 [ 414.790459][T21567] binder: 21562:21567 transaction failed 29201/-22, size 0-8 line 3241 [ 414.799346][T21563] binder: 21558:21563 ioctl c0306201 200002c0 returned -14 [ 414.828181][T21571] binder_alloc: binder_alloc_mmap_handler: 21558 20001000-20004000 already mapped failed -16 03:50:43 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6c000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:43 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000df, 0x0) 03:50:43 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 414.872446][T21563] binder: BINDER_SET_CONTEXT_MGR already set [ 414.898680][T21563] binder: 21558:21563 ioctl 40046207 0 returned -16 [ 414.926976][T21571] binder: 21558:21571 transaction failed 29189/-3, size 24-8 line 3147 [ 414.964583][T21580] binder: 21574:21580 transaction failed 29189/-3, size 0-8 line 3147 [ 414.982001][ T12] binder: release 21558:21563 transaction 1973 out, still active [ 414.989787][ T12] binder: unexpected work type, 4, not freed [ 415.014471][T21584] binder: 21582:21584 transaction failed 29189/-3, size 0-8 line 3147 03:50:43 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000e4, 0x0) 03:50:43 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xa, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 415.035834][ T12] binder: undelivered TRANSACTION_COMPLETE [ 415.063235][ T12] binder_release_work: 54 callbacks suppressed [ 415.063242][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 415.123811][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 415.151007][T21595] binder: BINDER_SET_CONTEXT_MGR already set 03:50:43 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000e0, 0x0) 03:50:43 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x74000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:43 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(0x0, 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:43 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 415.175820][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 415.212340][T21595] binder: 21591:21595 ioctl 40046207 0 returned -16 [ 415.216890][T21603] binder: 21591:21603 transaction failed 29189/-3, size 24-8 line 3147 [ 415.241878][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 415.253174][T21607] binder: 21600:21607 transaction failed 29189/-3, size 0-8 line 3147 [ 415.260993][ T12] binder: send failed reply for transaction 1973, target dead 03:50:44 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000e5, 0x0) [ 415.263588][T21606] binder: 21601:21606 transaction failed 29189/-22, size 0-8 line 2994 03:50:44 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(0x0, 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:44 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000e1, 0x0) [ 415.306006][T21595] binder: 21591:21595 transaction failed 29201/-22, size 24-8 line 2994 [ 415.341943][T21595] binder: 21591:21595 ioctl c0306201 200002c0 returned -14 03:50:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7a000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 415.368544][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 415.395096][T21603] binder_alloc: binder_alloc_mmap_handler: 21591 20001000-20004000 already mapped failed -16 03:50:44 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000e6, 0x0) 03:50:44 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x8, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xfdfdffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 415.459846][T21623] binder: 21591:21623 ioctl c0306201 200002c0 returned -14 [ 415.480972][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 415.493575][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 415.534230][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 415.561458][ T12] binder: undelivered TRANSACTION_ERROR: 29201 03:50:44 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x10, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:44 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000e2, 0x0) 03:50:44 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(0xffffffffffffffff, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) [ 415.581239][ T12] binder: undelivered TRANSACTION_ERROR: 29201 03:50:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xfffffdfd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:44 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xa, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 415.697896][T21641] binder: 21638:21641 ioctl c0306201 200002c0 returned -14 03:50:44 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000e3, 0x0) 03:50:44 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(0xffffffffffffffff, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:44 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000e7, 0x0) [ 415.812894][T21653] binder_alloc: binder_alloc_mmap_handler: 21638 20001000-20004000 already mapped failed -16 03:50:44 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000e4, 0x0) [ 415.872952][T21653] binder: 21638:21653 ioctl c0306201 200002c0 returned -14 [ 415.907277][ T17] binder: release 21638:21641 transaction 1992 out, still active 03:50:44 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x48, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x100000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 415.927228][ T17] binder: unexpected work type, 4, not freed [ 415.952933][ T17] binder: undelivered TRANSACTION_COMPLETE 03:50:44 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x48, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 415.979037][ T17] binder: send failed reply for transaction 1992, target dead 03:50:44 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(0xffffffffffffffff, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:44 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000e8, 0x0) 03:50:44 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000e5, 0x0) [ 416.089680][T21679] binder: 21671:21679 ioctl c0306201 200002c0 returned -14 [ 416.099251][T21678] binder: 21670:21678 got transaction with invalid offset (0, min 0 max 0) or object. [ 416.119905][T21681] binder_alloc: binder_alloc_mmap_handler: 21671 20001000-20004000 already mapped failed -16 03:50:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x200000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:45 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4c, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 416.183125][T21679] binder: BINDER_SET_CONTEXT_MGR already set 03:50:45 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, 0x0, 0x0) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) [ 416.248538][T21679] binder: 21671:21679 ioctl 40046207 0 returned -16 03:50:45 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000e9, 0x0) 03:50:45 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000e6, 0x0) [ 416.297247][T21681] binder_transaction: 7 callbacks suppressed [ 416.297258][T21681] binder: 21671:21681 got transaction to invalid handle [ 416.352045][T21679] binder_alloc_new_buf_locked: 16 callbacks suppressed [ 416.352054][T21679] binder_alloc: 21671: binder_alloc_buf, no vma [ 416.352591][ T12] binder: release 21671:21679 transaction 2002 out, still active [ 416.365011][T21701] binder_alloc: 21671: binder_alloc_buf, no vma [ 416.370078][T21681] binder: 21671:21681 ioctl c0306201 200002c0 returned -14 03:50:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x300000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:45 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x68, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 416.411650][ T12] binder: unexpected work type, 4, not freed [ 416.435262][ T12] binder: undelivered TRANSACTION_COMPLETE [ 416.451892][ T12] binder: send failed reply for transaction 2002, target dead 03:50:45 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, 0x0, 0x0) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:45 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4c, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:45 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000ea, 0x0) 03:50:45 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000e7, 0x0) 03:50:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x400000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:45 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6c, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:45 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, 0x0, 0x0) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:45 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000eb, 0x0) [ 416.710213][T21732] binder: 21725:21732 got transaction to invalid handle 03:50:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x500000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 416.768569][T21732] binder: 21725:21732 ioctl c0306201 200002c0 returned -14 [ 416.787731][T21735] binder: 21733:21735 got transaction with invalid offset (0, min 0 max 0) or object. [ 416.804188][T21739] binder_alloc: binder_alloc_mmap_handler: 21725 20001000-20004000 already mapped failed -16 03:50:45 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000e8, 0x0) [ 416.830796][T21732] binder: BINDER_SET_CONTEXT_MGR already set 03:50:45 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000ec, 0x0) [ 416.873223][T21732] binder: 21725:21732 ioctl 40046207 0 returned -16 [ 416.876233][T21747] binder: 21725:21747 got transaction to invalid handle [ 416.906100][T21739] binder_alloc: 21725: binder_alloc_buf, no vma 03:50:45 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(0x0, &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:45 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x74, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 416.931078][ T17] binder: release 21725:21732 transaction 2015 out, still active [ 416.947905][ T17] binder: unexpected work type, 4, not freed [ 416.957687][T21753] binder_alloc: 21725: binder_alloc_buf, no vma [ 416.966935][ T17] binder: undelivered TRANSACTION_COMPLETE [ 416.999388][ T17] binder: send failed reply for transaction 2015, target dead [ 417.062457][T21747] binder: 21725:21747 ioctl c0306201 200002c0 returned -14 03:50:45 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x68, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:45 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000e9, 0x0) 03:50:45 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000ed, 0x0) 03:50:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x600000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:45 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7a, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:46 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000ee, 0x0) 03:50:46 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x700000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 417.250960][T21778] binder: 21770:21778 got transaction to invalid handle 03:50:46 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000ea, 0x0) 03:50:46 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x300, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 417.292113][T21778] binder: 21770:21778 ioctl c0306201 200002c0 returned -14 [ 417.378956][T21788] binder_alloc: binder_alloc_mmap_handler: 21770 20001000-20004000 already mapped failed -16 [ 417.391586][T21787] binder_alloc: 21770: binder_alloc_buf, no vma [ 417.415646][T21778] binder: BINDER_SET_CONTEXT_MGR already set 03:50:46 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x800000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 417.440609][T21778] binder: 21770:21778 ioctl 40046207 0 returned -16 [ 417.441511][T21793] binder: 21770:21793 got transaction to invalid handle [ 417.456549][T21794] binder_alloc: 21770: binder_alloc_buf, no vma [ 417.476655][T21788] binder_alloc: 21770: binder_alloc_buf, no vma [ 417.540546][ T17] binder: release 21770:21778 transaction 2027 out, still active [ 417.555528][T21799] binder_alloc: 21770: binder_alloc_buf, no vma [ 417.560441][ T17] binder: unexpected work type, 4, not freed [ 417.570114][ T17] binder: undelivered TRANSACTION_COMPLETE [ 417.576531][T21793] binder: 21770:21793 ioctl c0306201 200002c0 returned -14 [ 417.590774][ T17] binder: send failed reply for transaction 2027, target dead 03:50:46 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(0x0, &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:46 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000eb, 0x0) 03:50:46 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000ef, 0x0) 03:50:46 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x500, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:46 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xa00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:46 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6c, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:46 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x2000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 417.800613][T21809] binder: 21805:21809 got transaction to invalid handle [ 417.808205][T21810] binder: 21803:21810 got transaction with invalid offset (0, min 0 max 0) or object. [ 417.831941][T21809] binder: 21805:21809 ioctl c0306201 200002c0 returned -14 03:50:46 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x600, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 417.858925][T21815] binder_alloc: binder_alloc_mmap_handler: 21805 20001000-20004000 already mapped failed -16 03:50:46 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000ec, 0x0) 03:50:46 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000f0, 0x0) [ 417.904419][T21809] binder: BINDER_SET_CONTEXT_MGR already set [ 417.969242][T21809] binder: 21805:21809 ioctl 40046207 0 returned -16 [ 417.979201][T21826] binder_alloc: 21805: binder_alloc_buf, no vma [ 417.989549][T21825] binder: 21805:21825 got transaction to invalid handle 03:50:46 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000ed, 0x0) [ 418.016131][ T17] binder: release 21805:21809 transaction 2038 out, still active [ 418.016880][T21830] binder_alloc: 21805: binder_alloc_buf, no vma [ 418.031156][ T17] binder: unexpected work type, 4, not freed [ 418.046327][T21825] binder: 21805:21825 ioctl c0306201 200002c0 returned -14 [ 418.060122][ T17] binder: undelivered TRANSACTION_COMPLETE 03:50:46 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4800000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 418.090167][ T17] binder: send failed reply for transaction 2038, target dead 03:50:47 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(0x0, &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:47 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x74, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:47 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000f1, 0x0) 03:50:47 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x700, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:47 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4c00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:47 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000ee, 0x0) [ 418.493253][T21854] binder: 21849:21854 got transaction to invalid handle [ 418.508329][T21855] binder: 21853:21855 got transaction with invalid offset (0, min 0 max 0) or object. [ 418.517724][T21854] binder: 21849:21854 ioctl c0306201 200002c0 returned -14 [ 418.520136][T21857] binder: 21850:21857 got transaction with invalid offset (0, min 0 max 0) or object. 03:50:47 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000ef, 0x0) 03:50:47 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:47 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xa00, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 418.563292][T21860] binder_alloc: binder_alloc_mmap_handler: 21849 20001000-20004000 already mapped failed -16 [ 418.582276][T21854] binder: BINDER_SET_CONTEXT_MGR already set [ 418.588357][T21854] binder: 21849:21854 ioctl 40046207 0 returned -16 [ 418.657902][T21867] binder: 21849:21867 got transaction to invalid handle [ 418.707160][ T12] binder: release 21849:21854 transaction 2048 out, still active [ 418.722716][T21867] binder: 21849:21867 ioctl c0306201 200002c0 returned -14 [ 418.734708][ T12] binder: unexpected work type, 4, not freed 03:50:47 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6800000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:47 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4800, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 418.760169][ T12] binder: undelivered TRANSACTION_COMPLETE 03:50:47 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000f0, 0x0) [ 418.812052][ T12] binder: send failed reply for transaction 2048, target dead 03:50:47 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', 0x0) getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:47 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7a, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:47 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000f2, 0x0) 03:50:47 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6c00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:47 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000f1, 0x0) 03:50:47 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4c00, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 419.254070][T21900] binder: 21898:21900 got transaction to invalid handle [ 419.271486][T21901] binder: 21895:21901 got transaction with invalid offset (0, min 0 max 0) or object. [ 419.297084][T21900] binder: 21898:21900 ioctl c0306201 200002c0 returned -14 03:50:48 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6800, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:48 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000f3, 0x0) [ 419.318276][T21905] binder_alloc: binder_alloc_mmap_handler: 21898 20001000-20004000 already mapped failed -16 03:50:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7400000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 419.414506][T21900] binder: BINDER_SET_CONTEXT_MGR already set [ 419.462088][T21900] binder: 21898:21900 ioctl 40046207 0 returned -16 [ 419.485023][T21913] binder: 21898:21913 ioctl c0306201 200002c0 returned -14 03:50:48 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000f2, 0x0) 03:50:48 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6c00, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 419.528177][ T17] binder: release 21898:21900 transaction 2061 out, still active [ 419.554719][ T17] binder: unexpected work type, 4, not freed [ 419.560769][ T17] binder: undelivered TRANSACTION_COMPLETE 03:50:48 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x300, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 419.632000][ T17] binder: send failed reply for transaction 2061, target dead [ 419.710174][T21931] binder: 21929:21931 ioctl c0306201 200002c0 returned -14 [ 419.730008][T21933] binder: 21927:21933 got transaction with invalid offset (0, min 0 max 0) or object. [ 419.756110][T21933] binder_transaction: 57 callbacks suppressed [ 419.756129][T21933] binder: 21927:21933 transaction failed 29201/-22, size 0-8 line 3241 [ 419.785099][T21934] binder_alloc: binder_alloc_mmap_handler: 21929 20001000-20004000 already mapped failed -16 [ 419.810623][T21931] binder: BINDER_SET_CONTEXT_MGR already set [ 419.857441][T21931] binder: 21929:21931 ioctl 40046207 0 returned -16 [ 419.868058][T21934] binder: 21929:21934 transaction failed 29189/-3, size 24-8 line 3147 [ 419.882364][ T17] binder: release 21929:21931 transaction 2071 out, still active [ 419.901111][ T17] binder: unexpected work type, 4, not freed [ 419.923241][ T17] binder: undelivered TRANSACTION_COMPLETE [ 419.929243][ T17] binder: send failed reply for transaction 2071, target dead 03:50:48 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', 0x0) getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7a00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:48 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000f4, 0x0) 03:50:48 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7400, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:48 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000f3, 0x0) 03:50:48 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x500, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 420.121091][T21945] binder: 21940:21945 transaction failed 29189/-22, size 0-8 line 2994 [ 420.148734][T21947] binder: 21946:21947 transaction failed 29189/-22, size 0-8 line 2994 [ 420.190153][T21949] binder: 21943:21949 transaction failed 29201/-22, size 24-8 line 2994 [ 420.228059][T21949] binder: 21943:21949 ioctl c0306201 200002c0 returned -14 03:50:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xfdfdffff00000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 420.278848][ T17] binder_release_work: 57 callbacks suppressed [ 420.278857][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 420.309505][T21951] binder_alloc: binder_alloc_mmap_handler: 21943 20001000-20004000 already mapped failed -16 03:50:49 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7a00, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 420.327581][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 420.400367][T21949] binder: BINDER_SET_CONTEXT_MGR already set [ 420.429981][T21955] binder: 21954:21955 transaction failed 29189/-3, size 0-8 line 3147 [ 420.444689][T21949] binder: 21943:21949 ioctl 40046207 0 returned -16 [ 420.473513][T21951] binder: 21943:21951 transaction failed 29189/-3, size 24-8 line 3147 [ 420.489230][T21960] binder: 21957:21960 transaction failed 29189/-3, size 0-8 line 3147 [ 420.501979][T21958] binder: 21943:21958 transaction failed 29201/-22, size 24-8 line 2994 03:50:49 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000f5, 0x0) 03:50:49 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000f4, 0x0) 03:50:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 420.519259][ T17] binder: release 21943:21949 transaction 2080 out, still active [ 420.526689][T21958] binder: 21943:21958 ioctl c0306201 200002c0 returned -14 [ 420.537241][ T17] binder: unexpected work type, 4, not freed 03:50:49 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x1000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 420.583377][ T17] binder: undelivered TRANSACTION_COMPLETE [ 420.622763][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 420.649977][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 420.679338][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 420.705024][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 420.714217][T21975] binder: 21973:21975 transaction failed 29189/-3, size 0-8 line 3147 [ 420.733970][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 420.766058][ T17] binder: send failed reply for transaction 2080, target dead [ 420.815282][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 420.839259][ T17] binder: undelivered TRANSACTION_ERROR: 29189 03:50:49 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', 0x0) getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:49 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x600, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:49 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:49 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000f6, 0x0) 03:50:49 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000f5, 0x0) 03:50:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x3000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 421.202141][T21992] binder: 21984:21992 ioctl c0306201 200002c0 returned -14 [ 421.223659][ T17] binder: undelivered TRANSACTION_ERROR: 29189 03:50:50 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000f7, 0x0) [ 421.258541][T21996] binder_alloc: binder_alloc_mmap_handler: 21984 20001000-20004000 already mapped failed -16 [ 421.329802][T21992] binder: BINDER_SET_CONTEXT_MGR already set 03:50:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 421.373542][T21992] binder: 21984:21992 ioctl 40046207 0 returned -16 [ 421.387435][T22002] binder_alloc_new_buf_locked: 12 callbacks suppressed [ 421.387443][T22002] binder_alloc: 21984: binder_alloc_buf, no vma [ 421.421005][T22006] binder_transaction: 5 callbacks suppressed [ 421.421016][T22006] binder: 21984:22006 got transaction to invalid handle [ 421.450120][T21996] binder_alloc: 21984: binder_alloc_buf, no vma [ 421.490356][ T17] binder: release 21984:21992 transaction 2093 out, still active [ 421.501425][T22006] binder: 21984:22006 ioctl c0306201 200002c0 returned -14 [ 421.512973][T22009] binder_alloc: 21984: binder_alloc_buf, no vma [ 421.519840][ T17] binder: unexpected work type, 4, not freed 03:50:50 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000f8, 0x0) 03:50:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 421.549636][ T17] binder: undelivered TRANSACTION_COMPLETE [ 421.587658][ T17] binder: send failed reply for transaction 2093, target dead 03:50:50 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(0xffffffffffffffff, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:50 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x700, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x5000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:50 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000f6, 0x0) 03:50:50 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000f9, 0x0) 03:50:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:50 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000fa, 0x0) [ 421.994877][T22035] binder: 22030:22035 got transaction to invalid handle 03:50:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 422.061950][T22035] binder: 22030:22035 ioctl c0306201 200002c0 returned -14 [ 422.081314][T22040] binder_alloc: binder_alloc_mmap_handler: 22030 20001000-20004000 already mapped failed -16 [ 422.157249][T22035] binder: BINDER_SET_CONTEXT_MGR already set [ 422.177433][T22045] binder_alloc: 22030: binder_alloc_buf, no vma [ 422.184980][T22035] binder: 22030:22035 ioctl 40046207 0 returned -16 03:50:51 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000fb, 0x0) [ 422.219672][T22049] binder_alloc: 22030: binder_alloc_buf, no vma [ 422.226487][T22047] binder: 22030:22047 got transaction to invalid handle 03:50:51 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 422.269746][T22040] binder_alloc: 22030: binder_alloc_buf, no vma [ 422.311637][ T12] binder: release 22030:22035 transaction 2106 out, still active [ 422.328508][T22047] binder: 22030:22047 ioctl c0306201 200002c0 returned -14 03:50:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 422.357382][ T12] binder: unexpected work type, 4, not freed [ 422.379305][ T12] binder: undelivered TRANSACTION_COMPLETE [ 422.407853][ T12] binder: send failed reply for transaction 2106, target dead 03:50:51 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(0xffffffffffffffff, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:51 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xa00, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:51 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x8000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:51 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000f7, 0x0) 03:50:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:51 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000fc, 0x0) [ 422.863627][T22079] binder: 22072:22079 got transaction to invalid handle [ 422.870748][T22077] binder: 22076:22077 got transaction with invalid offset (0, min 0 max 0) or object. [ 422.883260][T22081] binder: 22073:22081 got transaction with invalid offset (0, min 0 max 0) or object. [ 422.897878][T22079] binder: 22072:22079 ioctl c0306201 200002c0 returned -14 03:50:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x48, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 422.919677][T22084] binder_alloc: binder_alloc_mmap_handler: 22072 20001000-20004000 already mapped failed -16 [ 422.938621][T22079] binder: BINDER_SET_CONTEXT_MGR already set [ 422.961477][T22079] binder: 22072:22079 ioctl 40046207 0 returned -16 [ 422.998595][T22084] binder_alloc: 22072: binder_alloc_buf, no vma 03:50:51 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xa000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:51 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000fd, 0x0) [ 423.026687][ T17] binder: release 22072:22079 transaction 2117 out, still active [ 423.050235][T22088] binder_alloc: 22072: binder_alloc_buf, no vma [ 423.071952][ T17] binder: unexpected work type, 4, not freed 03:50:51 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x2000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 423.103820][ T17] binder: undelivered TRANSACTION_COMPLETE [ 423.138202][ T17] binder: send failed reply for transaction 2117, target dead 03:50:52 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x48000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 423.232140][T22098] binder: 22096:22098 got transaction to invalid handle [ 423.253151][T22098] binder: 22096:22098 ioctl c0306201 200002c0 returned -14 [ 423.280538][T22104] binder: 22100:22104 got transaction with invalid offset (0, min 0 max 0) or object. [ 423.308534][T22107] binder_alloc: binder_alloc_mmap_handler: 22096 20001000-20004000 already mapped failed -16 [ 423.334418][T22098] binder: BINDER_SET_CONTEXT_MGR already set [ 423.381985][T22114] binder: 22096:22114 got transaction to invalid handle [ 423.399465][T22098] binder: 22096:22098 ioctl 40046207 0 returned -16 [ 423.399622][T22112] binder_alloc: 22096: binder_alloc_buf, no vma [ 423.416112][T22114] binder: 22096:22114 ioctl c0306201 200002c0 returned -14 [ 423.418425][T22113] binder_alloc: 22096: binder_alloc_buf, no vma [ 423.450682][ T17] binder: release 22096:22098 transaction 2127 out, still active [ 423.460121][ T17] binder: unexpected work type, 4, not freed [ 423.466328][ T17] binder: undelivered TRANSACTION_COMPLETE [ 423.472887][ T17] binder: send failed reply for transaction 2127, target dead 03:50:52 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(0xffffffffffffffff, &(0x7f0000000380)=""/154, 0x9a) getdents(r0, 0x0, 0x0) 03:50:52 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000f8, 0x0) 03:50:52 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000fe, 0x0) 03:50:52 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x60, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:52 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4c000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:52 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4800, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 423.707111][T22127] binder: 22124:22127 got transaction with invalid offset (0, min 0 max 0) or object. [ 423.717103][T22129] binder: 22123:22129 got transaction with invalid offset (0, min 0 max 0) or object. [ 423.737935][T22125] binder: 22121:22125 got transaction to invalid handle 03:50:52 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x68, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:52 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000102, 0x0) [ 423.768055][T22125] binder: 22121:22125 ioctl c0306201 200002c0 returned -14 03:50:52 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x68000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 423.834990][T22133] binder: 22132:22133 got transaction with invalid offset (0, min 0 max 0) or object. [ 423.845804][T22134] binder_alloc: binder_alloc_mmap_handler: 22121 20001000-20004000 already mapped failed -16 [ 423.889993][T22125] binder: BINDER_SET_CONTEXT_MGR already set [ 423.912320][T22125] binder: 22121:22125 ioctl 40046207 0 returned -16 03:50:52 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6c, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:52 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6c000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 424.022210][T22134] binder: 22121:22134 got transaction to invalid handle 03:50:52 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000103, 0x0) [ 424.067943][ T12] binder: send failed reply for transaction 2138 to 22121:22125 [ 424.084543][ T12] binder: undelivered TRANSACTION_COMPLETE [ 424.162854][T22134] binder: 22121:22134 ioctl c0306201 200002c0 returned -14 03:50:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x74, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:53 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000f9, 0x0) 03:50:53 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x74000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:53 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, 0x0, 0x0) getdents(r0, 0x0, 0x0) 03:50:53 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000104, 0x0) 03:50:53 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4c00, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 424.502003][T22169] binder: 22168:22169 got transaction to invalid handle [ 424.503856][T22171] binder: 22165:22171 got transaction with invalid offset (0, min 0 max 0) or object. [ 424.512456][T22172] binder: 22166:22172 got transaction with invalid offset (0, min 0 max 0) or object. [ 424.533860][T22169] binder: 22168:22169 ioctl c0306201 200002c0 returned -14 03:50:53 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7a000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 424.557179][T22174] binder_alloc: binder_alloc_mmap_handler: 22168 20001000-20004000 already mapped failed -16 [ 424.618245][T22169] binder: BINDER_SET_CONTEXT_MGR already set 03:50:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 424.673980][T22169] binder: 22168:22169 ioctl 40046207 0 returned -16 [ 424.712130][T22178] binder: 22168:22178 got transaction to invalid handle 03:50:53 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000105, 0x0) [ 424.751591][ T17] binder: release 22168:22169 transaction 2149 out, still active [ 424.767236][T22178] binder_transaction: 44 callbacks suppressed [ 424.767256][T22178] binder: 22168:22178 transaction failed 29201/-22, size 24-8 line 2994 [ 424.791414][ T17] binder: unexpected work type, 4, not freed [ 424.811933][T22183] binder: 22181:22183 transaction failed 29189/-3, size 0-8 line 3147 [ 424.842369][ T17] binder: undelivered TRANSACTION_COMPLETE [ 424.848360][ T17] binder: send failed reply for transaction 2149, target dead 03:50:53 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x100000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 424.862209][T22178] binder: 22168:22178 ioctl c0306201 200002c0 returned -14 03:50:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x300, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:53 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6800, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 424.963569][T22194] binder: 22191:22194 transaction failed 29189/-22, size 0-8 line 2994 03:50:53 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000fa, 0x0) [ 425.006542][T22201] binder: 22198:22201 transaction failed 29201/-22, size 24-8 line 2994 [ 425.034624][T22201] binder: 22198:22201 ioctl c0306201 200002c0 returned -14 03:50:53 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000106, 0x0) [ 425.051146][T22202] binder: 22199:22202 got transaction with invalid offset (0, min 0 max 0) or object. [ 425.061069][T22205] binder_alloc: binder_alloc_mmap_handler: 22198 20001000-20004000 already mapped failed -16 03:50:53 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x200000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 425.104984][T22201] binder: BINDER_SET_CONTEXT_MGR already set [ 425.123880][T22202] binder: 22199:22202 transaction failed 29201/-22, size 0-8 line 3241 [ 425.131436][T22201] binder: 22198:22201 ioctl 40046207 0 returned -16 [ 425.174574][T22205] binder: 22198:22205 transaction failed 29189/-3, size 24-8 line 3147 [ 425.193453][T22215] binder: 22214:22215 transaction failed 29189/-3, size 0-8 line 3147 03:50:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x500, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 425.239937][ T17] binder: release 22198:22201 transaction 2161 out, still active [ 425.250836][ T17] binder: unexpected work type, 4, not freed [ 425.281235][ T17] binder: undelivered TRANSACTION_COMPLETE [ 425.303041][ T17] binder_release_work: 47 callbacks suppressed [ 425.303048][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 425.348927][T22219] binder: 22218:22219 transaction failed 29189/-3, size 0-8 line 3147 [ 425.360075][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 425.373431][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 425.396506][ T17] binder: send failed reply for transaction 2161, target dead [ 425.443748][ T12] binder: undelivered TRANSACTION_ERROR: 29189 03:50:54 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, 0x0, 0x0) getdents(r0, 0x0, 0x0) 03:50:54 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x300000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:54 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000107, 0x0) 03:50:54 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6c00, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x600, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:54 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000fb, 0x0) [ 425.674083][T22233] binder: 22226:22233 transaction failed 29201/-22, size 24-8 line 2994 [ 425.675466][T22235] binder: 22229:22235 got transaction with invalid offset (0, min 0 max 0) or object. [ 425.691885][T22233] binder: 22226:22233 ioctl c0306201 200002c0 returned -14 [ 425.703155][T22234] binder: 22227:22234 transaction failed 29201/-22, size 0-8 line 3241 [ 425.724873][T22237] binder_alloc: binder_alloc_mmap_handler: 22226 20001000-20004000 already mapped failed -16 03:50:54 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000108, 0x0) [ 425.766257][T22233] binder: BINDER_SET_CONTEXT_MGR already set [ 425.803942][T22233] binder: 22226:22233 ioctl 40046207 0 returned -16 03:50:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x700, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 425.813582][ T17] binder: undelivered TRANSACTION_ERROR: 29201 03:50:54 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x400000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 425.839014][T22239] binder: 22226:22239 ioctl c0306201 200002c0 returned -14 [ 425.850069][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 425.892544][ T17] binder: release 22226:22233 transaction 2170 out, still active [ 425.927092][ T17] binder: unexpected work type, 4, not freed 03:50:54 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7400, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xa00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 425.966188][ T17] binder: undelivered TRANSACTION_COMPLETE [ 425.995311][ T17] binder: undelivered TRANSACTION_ERROR: 29201 03:50:54 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x500000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 426.039491][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 426.070300][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 426.102420][T22261] binder: BINDER_SET_CONTEXT_MGR already set [ 426.136910][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 426.148274][T22261] binder: 22255:22261 ioctl 40046207 0 returned -16 [ 426.149440][T22267] binder: 22255:22267 ioctl c0306201 200002c0 returned -14 [ 426.155390][ T17] binder: send failed reply for transaction 2170, target dead [ 426.256571][T22267] binder_alloc: binder_alloc_mmap_handler: 22255 20001000-20004000 already mapped failed -16 [ 426.268654][T22267] binder: 22255:22267 ioctl c0306201 200002c0 returned -14 03:50:55 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, 0x0, 0x0) getdents(r0, 0x0, 0x0) 03:50:55 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000fc, 0x0) 03:50:55 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000109, 0x0) 03:50:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:55 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x600000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:55 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7a00, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 426.460289][T22279] binder_transaction: 4 callbacks suppressed [ 426.460300][T22279] binder: 22272:22279 got transaction to invalid handle 03:50:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:55 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x700000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:55 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000010a, 0x0) [ 426.553736][T22279] binder: 22272:22279 ioctl c0306201 200002c0 returned -14 [ 426.624428][T22288] binder_alloc: binder_alloc_mmap_handler: 22272 20001000-20004000 already mapped failed -16 [ 426.670159][T22289] binder_alloc_new_buf_locked: 14 callbacks suppressed [ 426.670168][T22289] binder_alloc: 22272: binder_alloc_buf, no vma [ 426.684273][T22279] binder: BINDER_SET_CONTEXT_MGR already set [ 426.714959][T22279] binder: 22272:22279 ioctl 40046207 0 returned -16 [ 426.737442][T22291] binder_alloc: 22272: binder_alloc_buf, no vma [ 426.747855][T22293] binder: 22272:22293 got transaction to invalid handle 03:50:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4c00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 426.775974][T22293] binder: 22272:22293 ioctl c0306201 200002c0 returned -14 [ 426.787116][T22288] binder_alloc: 22272: binder_alloc_buf, no vma [ 426.794752][ T12] binder: release 22272:22279 transaction 2187 out, still active 03:50:55 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000010b, 0x0) [ 426.825350][ T12] binder: unexpected work type, 4, not freed 03:50:55 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x800000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 426.874570][ T12] binder: undelivered TRANSACTION_COMPLETE [ 426.904500][ T12] binder: send failed reply for transaction 2187, target dead 03:50:56 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(0xffffffffffffffff, 0x0, 0x0) 03:50:56 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x1000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:56 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000fd, 0x0) 03:50:56 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:56 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xa00000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:56 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000010c, 0x0) [ 427.359070][T22320] binder: 22318:22320 got transaction to invalid handle 03:50:56 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:56 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000010d, 0x0) [ 427.418209][T22320] binder: 22318:22320 ioctl c0306201 200002c0 returned -14 03:50:56 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4800000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 427.484643][T22331] binder_alloc: binder_alloc_mmap_handler: 22318 20001000-20004000 already mapped failed -16 [ 427.558566][T22320] binder: BINDER_SET_CONTEXT_MGR already set [ 427.618131][T22320] binder: 22318:22320 ioctl 40046207 0 returned -16 [ 427.618383][T22340] binder: 22318:22340 got transaction to invalid handle [ 427.632214][T22337] binder_alloc: 22318: binder_alloc_buf, no vma [ 427.651426][T22338] binder_alloc: 22318: binder_alloc_buf, no vma 03:50:56 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4c00000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:56 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6c00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 427.689480][T22331] binder_alloc: 22318: binder_alloc_buf, no vma [ 427.706276][ T17] binder: release 22318:22320 transaction 2200 out, still active [ 427.714959][T22340] binder: 22318:22340 ioctl c0306201 200002c0 returned -14 [ 427.731834][ T17] binder: unexpected work type, 4, not freed 03:50:56 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000fe, 0x0) [ 427.776703][ T17] binder: undelivered TRANSACTION_COMPLETE [ 427.808169][ T17] binder: send failed reply for transaction 2200, target dead 03:50:57 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(0xffffffffffffffff, 0x0, 0x0) 03:50:57 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x2000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:57 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6800000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:57 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7400, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:57 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000010e, 0x0) 03:50:57 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000102, 0x0) 03:50:57 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6c00000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:57 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7a00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 428.332077][T22374] binder: 22372:22374 got transaction to invalid handle [ 428.363177][T22374] binder: 22372:22374 ioctl c0306201 200002c0 returned -14 03:50:57 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000010f, 0x0) [ 428.432454][T22379] binder_alloc: binder_alloc_mmap_handler: 22372 20001000-20004000 already mapped failed -16 [ 428.472879][T22374] binder: BINDER_SET_CONTEXT_MGR already set [ 428.479677][T22379] binder_alloc: 22372: binder_alloc_buf, no vma [ 428.527901][ T17] binder: release 22372:22374 transaction 2215 out, still active [ 428.545388][ T17] binder: unexpected work type, 4, not freed [ 428.551923][T22381] binder_alloc: 22372: binder_alloc_buf, no vma [ 428.566818][ T17] binder: undelivered TRANSACTION_COMPLETE [ 428.581320][T22374] binder: 22372:22374 ioctl 40046207 0 returned -16 [ 428.584201][T22387] binder_alloc: 22372: binder_alloc_buf, no vma [ 428.599184][ T17] binder: send failed reply for transaction 2215, target dead 03:50:57 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x3000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:57 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x1000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:57 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000110, 0x0) [ 428.777235][T22401] binder: 22396:22401 got transaction to invalid handle [ 428.818189][T22401] binder: 22396:22401 ioctl c0306201 200002c0 returned -14 [ 428.839991][T22407] binder_alloc: binder_alloc_mmap_handler: 22396 20001000-20004000 already mapped failed -16 [ 428.868937][T22401] binder: BINDER_SET_CONTEXT_MGR already set [ 428.881084][T22401] binder: 22396:22401 ioctl 40046207 0 returned -16 [ 428.881122][T22411] binder: 22396:22411 got transaction to invalid handle [ 428.888454][T22407] binder_alloc: 22396: binder_alloc_buf, no vma [ 428.920951][T22411] binder: 22396:22411 ioctl c0306201 200002c0 returned -14 [ 428.927850][ T12] binder: send failed reply for transaction 2224 to 22396:22401 [ 428.944678][ T12] binder: undelivered TRANSACTION_COMPLETE 03:50:57 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, &(0x7f0000000380)=""/154, 0x9a) getdents(0xffffffffffffffff, 0x0, 0x0) 03:50:57 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7400000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:57 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000103, 0x0) 03:50:57 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:57 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000111, 0x0) 03:50:57 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 429.154579][T22424] binder: 22422:22424 got transaction to invalid handle [ 429.156760][T22418] binder_transaction: 5 callbacks suppressed [ 429.156774][T22418] binder: 22416:22418 got transaction with invalid offset (0, min 0 max 0) or object. [ 429.162400][T22424] binder: 22422:22424 ioctl c0306201 200002c0 returned -14 [ 429.189433][T22425] binder: 22419:22425 got transaction with invalid offset (0, min 0 max 0) or object. 03:50:58 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000112, 0x0) [ 429.220752][T22427] binder_alloc: binder_alloc_mmap_handler: 22422 20001000-20004000 already mapped failed -16 [ 429.241261][T22424] binder: BINDER_SET_CONTEXT_MGR already set [ 429.254579][T22424] binder: 22422:22424 ioctl 40046207 0 returned -16 03:50:58 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x3000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 429.276347][T22429] binder: 22422:22429 got transaction to invalid handle 03:50:58 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7a00000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 429.317323][T22429] binder: 22422:22429 ioctl c0306201 200002c0 returned -14 [ 429.343052][ T17] binder: release 22422:22424 transaction 2231 out, still active [ 429.359863][ T17] binder: unexpected work type, 4, not freed 03:50:58 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x5000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:58 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 429.406437][ T17] binder: undelivered TRANSACTION_COMPLETE [ 429.436444][ T17] binder: send failed reply for transaction 2231, target dead 03:50:58 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x2, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 429.597841][T22443] binder: 22440:22443 got transaction to invalid handle [ 429.627156][T22443] binder: 22440:22443 ioctl c0306201 200002c0 returned -14 [ 429.628751][T22448] binder: 22442:22448 got transaction with invalid offset (0, min 0 max 0) or object. [ 429.677672][T22452] binder_alloc: binder_alloc_mmap_handler: 22440 20001000-20004000 already mapped failed -16 [ 429.717462][T22443] binder: BINDER_SET_CONTEXT_MGR already set [ 429.731394][T22443] binder: 22440:22443 ioctl 40046207 0 returned -16 [ 429.790488][ T17] binder: send failed reply for transaction 2242 to 22440:22443 [ 429.822162][ T17] binder: undelivered TRANSACTION_COMPLETE 03:50:58 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:50:58 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000104, 0x0) 03:50:58 executing program 3: r0 = socket(0x10, 0x80002, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=@newlink={0x38, 0x10, 0xf0b, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x18, 0x12, @gre={{0x8, 0x1, 'gre\x00'}, {0xc, 0x2, [@IFLA_GRE_LOCAL={0x8, 0x5}]}}}]}, 0x38}}, 0x0) setxattr$trusted_overlay_origin(0x0, 0x0, 0x0, 0x0, 0x0) sendmmsg$alg(r0, &(0x7f0000000140)=[{0x0, 0x0, &(0x7f0000000100), 0x0, &(0x7f0000000100)}], 0x492492492492805, 0x0) 03:50:58 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x5000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:58 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x3, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:58 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000113, 0x0) [ 430.039381][T22469] binder_transaction: 49 callbacks suppressed [ 430.039397][T22469] binder: 22464:22469 transaction failed 29189/-22, size 0-8 line 2994 [ 430.060399][T22471] binder: 22466:22471 transaction failed 29189/-22, size 0-8 line 2994 [ 430.063919][T22472] binder: 22468:22472 transaction failed 29201/-22, size 24-8 line 2994 [ 430.100853][T22472] binder: 22468:22472 ioctl c0306201 200002c0 returned -14 03:50:58 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 430.141216][T22473] binder_alloc: binder_alloc_mmap_handler: 22468 20001000-20004000 already mapped failed -16 [ 430.198229][T22473] binder: 22468:22473 transaction failed 29201/-22, size 24-8 line 2994 [ 430.198423][T22472] binder: 22468:22472 transaction failed 29189/-3, size 24-8 line 3147 03:50:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 430.278338][T22477] binder: 22476:22477 transaction failed 29189/-3, size 0-8 line 3147 [ 430.310172][ T17] binder: release 22468:22472 transaction 2252 out, still active [ 430.319030][T22473] binder: 22468:22473 ioctl c0306201 200002c0 returned -14 [ 430.332437][ T17] binder: unexpected work type, 4, not freed [ 430.377011][ T17] binder: undelivered TRANSACTION_COMPLETE [ 430.384260][T22481] binder: 22479:22481 transaction failed 29189/-3, size 0-8 line 3147 03:50:59 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000114, 0x0) 03:50:59 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000105, 0x0) 03:50:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:59 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x5, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 430.419104][ T17] binder_release_work: 49 callbacks suppressed [ 430.419111][ T17] binder: undelivered TRANSACTION_ERROR: 29201 03:50:59 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 430.537369][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 430.563118][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 430.583693][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 430.590946][T22499] binder: BINDER_SET_CONTEXT_MGR already set [ 430.606032][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 430.614022][T22501] binder: 22495:22501 transaction failed 29189/-3, size 0-8 line 3147 [ 430.622533][T22499] binder: 22498:22499 ioctl 40046207 0 returned -16 [ 430.629902][T22500] binder: 22496:22500 transaction failed 29189/-3, size 0-8 line 3147 [ 430.642834][ T17] binder: send failed reply for transaction 2252, target dead [ 430.655643][T22499] binder: 22498:22499 transaction failed 29189/-22, size 24-8 line 2994 03:50:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x8000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 430.687602][T22499] binder: 22498:22499 ioctl c0306201 200002c0 returned -14 [ 430.706269][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 430.727130][T22502] binder_alloc: binder_alloc_mmap_handler: 22498 20001000-20004000 already mapped failed -16 [ 430.774243][T22502] binder: 22498:22502 ioctl c0306201 200002c0 returned -14 [ 430.801618][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 430.812083][ T17] binder: undelivered TRANSACTION_ERROR: 29189 03:50:59 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000000)=0x4) socket$packet(0x11, 0x0, 0x300) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0) setsockopt$packet_tx_ring(r0, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001}, 0x1c) 03:50:59 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:50:59 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x8000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 430.853775][ T17] binder: undelivered TRANSACTION_ERROR: 29201 03:50:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xa000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 430.923065][ T17] binder: undelivered TRANSACTION_ERROR: 29189 03:50:59 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000106, 0x0) 03:50:59 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000115, 0x0) 03:50:59 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 430.994288][T22519] binder: 22518:22519 ioctl c0306201 200002c0 returned -14 [ 431.106913][T22530] binder: 22525:22530 got transaction with invalid offset (0, min 0 max 0) or object. [ 431.123557][T22532] binder_alloc: binder_alloc_mmap_handler: 22518 20001000-20004000 already mapped failed -16 [ 431.169040][T22519] binder: BINDER_SET_CONTEXT_MGR already set 03:51:00 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x8, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:00 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x20000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 431.224850][T22519] binder: 22518:22519 ioctl 40046207 0 returned -16 [ 431.306128][T22534] binder: 22518:22534 ioctl c0306201 200002c0 returned -14 [ 431.367263][ T17] binder: release 22518:22519 transaction 2269 out, still active [ 431.388958][ T17] binder: unexpected work type, 4, not freed 03:51:00 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xa000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:00 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xa, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 431.451934][ T17] binder: undelivered TRANSACTION_COMPLETE [ 431.458002][ T17] binder: send failed reply for transaction 2269, target dead 03:51:00 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x48000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 431.615116][T22548] binder_transaction: 5 callbacks suppressed [ 431.615126][T22548] binder: 22544:22548 got transaction to invalid handle [ 431.640183][T22549] binder: 22546:22549 got transaction with invalid offset (0, min 0 max 0) or object. [ 431.700747][T22551] binder: 22550:22551 got transaction with invalid offset (0, min 0 max 0) or object. [ 431.722158][T22548] binder: 22544:22548 ioctl c0306201 200002c0 returned -14 [ 431.794115][T22555] binder_alloc: binder_alloc_mmap_handler: 22544 20001000-20004000 already mapped failed -16 [ 431.861109][T22548] binder: BINDER_SET_CONTEXT_MGR already set [ 431.880616][T22548] binder: 22544:22548 ioctl 40046207 0 returned -16 [ 431.908701][T22554] binder_alloc_new_buf_locked: 14 callbacks suppressed [ 431.908709][T22554] binder_alloc: 22544: binder_alloc_buf, no vma [ 431.937466][T22555] binder: 22544:22555 got transaction to invalid handle [ 431.944625][T22555] binder: 22544:22555 ioctl c0306201 200002c0 returned -14 03:51:00 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000000)=0x4) socket$packet(0x11, 0x0, 0x300) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0) setsockopt$packet_tx_ring(r0, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001}, 0x1c) 03:51:00 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000107, 0x0) 03:51:00 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x48, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:00 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000116, 0x0) 03:51:00 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4c000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 431.957886][ T17] binder: release 22544:22548 transaction 2280 out, still active [ 431.965712][ T17] binder: unexpected work type, 4, not freed 03:51:00 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x10000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 432.006200][ T17] binder: undelivered TRANSACTION_COMPLETE [ 432.041184][ T17] binder: send failed reply for transaction 2280, target dead 03:51:00 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4c, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:00 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x60000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:00 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000117, 0x0) [ 432.123088][T22575] binder: 22570:22575 got transaction to invalid handle [ 432.196522][T22575] binder: 22570:22575 ioctl c0306201 200002c0 returned -14 [ 432.285045][T22583] binder: 22580:22583 got transaction with invalid offset (0, min 0 max 0) or object. [ 432.300289][T22584] binder: 22582:22584 got transaction with invalid offset (0, min 0 max 0) or object. [ 432.321087][T22586] binder_alloc: binder_alloc_mmap_handler: 22570 20001000-20004000 already mapped failed -16 03:51:01 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x68000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:01 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x68, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 432.374719][T22575] binder: BINDER_SET_CONTEXT_MGR already set [ 432.402172][T22575] binder: 22570:22575 ioctl 40046207 0 returned -16 03:51:01 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000118, 0x0) [ 432.442431][T22586] binder_alloc: 22570: binder_alloc_buf, no vma [ 432.523106][ T12] binder: send failed reply for transaction 2291 to 22570:22575 [ 432.567083][ T12] binder: undelivered TRANSACTION_COMPLETE 03:51:01 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000000)=0x4) socket$packet(0x11, 0x0, 0x300) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0) setsockopt$packet_tx_ring(r0, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001}, 0x1c) 03:51:01 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000108, 0x0) 03:51:01 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x20000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:01 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6c000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:01 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6c, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:01 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000119, 0x0) [ 433.018763][T22610] binder: 22609:22610 got transaction to invalid handle [ 433.034691][T22615] binder: 22608:22615 got transaction with invalid offset (0, min 0 max 0) or object. [ 433.061867][T22610] binder: 22609:22610 ioctl c0306201 200002c0 returned -14 03:51:01 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x74, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 433.092522][T22620] binder_alloc: binder_alloc_mmap_handler: 22609 20001000-20004000 already mapped failed -16 03:51:01 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000011a, 0x0) 03:51:01 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x74000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 433.149653][T22610] binder: BINDER_SET_CONTEXT_MGR already set [ 433.209687][T22610] binder: 22609:22610 ioctl 40046207 0 returned -16 [ 433.226981][T22626] binder_alloc: 22609: binder_alloc_buf, no vma [ 433.254524][T22627] binder: 22609:22627 got transaction to invalid handle [ 433.282084][T22620] binder_alloc: 22609: binder_alloc_buf, no vma [ 433.293272][T22627] binder: 22609:22627 ioctl c0306201 200002c0 returned -14 [ 433.335938][ T17] binder: release 22609:22610 transaction 2302 out, still active [ 433.351721][ T17] binder: unexpected work type, 4, not freed 03:51:02 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7a, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 433.380621][ T17] binder: undelivered TRANSACTION_COMPLETE [ 433.386778][T22631] binder_alloc: 22609: binder_alloc_buf, no vma [ 433.432260][ T17] binder: send failed reply for transaction 2302, target dead 03:51:02 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x48000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7a000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 433.658870][T22644] binder: 22641:22644 got transaction to invalid handle [ 433.658901][T22644] binder: 22641:22644 ioctl c0306201 200002c0 returned -14 [ 433.687146][T22645] binder_alloc: binder_alloc_mmap_handler: 22641 20001000-20004000 already mapped failed -16 [ 433.714791][T22644] binder: BINDER_SET_CONTEXT_MGR already set [ 433.730566][T22644] binder: 22641:22644 ioctl 40046207 0 returned -16 [ 433.761389][T22645] binder_alloc: 22641: binder_alloc_buf, no vma [ 433.780815][T22647] binder: 22641:22647 got transaction to invalid handle [ 433.788182][T22647] binder: 22641:22647 ioctl c0306201 200002c0 returned -14 [ 433.795749][ T12] binder: release 22641:22644 transaction 2314 out, still active [ 433.809186][ T12] binder: unexpected work type, 4, not freed [ 433.815288][ T12] binder: undelivered TRANSACTION_COMPLETE [ 433.822025][ T12] binder: send failed reply for transaction 2314, target dead 03:51:02 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000000)=0x4) socket$packet(0x11, 0x0, 0x300) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0) setsockopt$packet_tx_ring(r0, 0x107, 0x5, &(0x7f0000000040)=@req3={0x10000, 0x100000001}, 0x1c) 03:51:02 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000109, 0x0) 03:51:02 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x300, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:02 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000011b, 0x0) 03:51:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xfdfdffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:02 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4c000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 433.959138][T22659] binder: 22658:22659 got transaction to invalid handle [ 433.977514][T22661] binder: 22652:22661 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:02 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x500, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 434.005943][T22659] binder: 22658:22659 ioctl c0306201 200002c0 returned -14 [ 434.051555][T22665] binder_alloc: binder_alloc_mmap_handler: 22658 20001000-20004000 already mapped failed -16 [ 434.097112][T22659] binder: BINDER_SET_CONTEXT_MGR already set [ 434.146157][T22667] binder_alloc: 22658: binder_alloc_buf, no vma [ 434.154403][T22659] binder: 22658:22659 ioctl 40046207 0 returned -16 03:51:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xfffffdfd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 434.243396][T22665] binder: 22658:22665 got transaction to invalid handle 03:51:03 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x600, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 434.287110][T22659] binder_alloc: 22658: binder_alloc_buf, no vma [ 434.314259][ T12] binder: release 22658:22659 transaction 2322 out, still active [ 434.327256][T22665] binder: 22658:22665 ioctl c0306201 200002c0 returned -14 03:51:03 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000010a, 0x0) 03:51:03 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x68000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:03 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000011c, 0x0) [ 434.362137][ T12] binder: unexpected work type, 4, not freed [ 434.368436][ T12] binder: undelivered TRANSACTION_COMPLETE [ 434.385165][T22675] binder_alloc: 22658: binder_alloc_buf, no vma [ 434.392917][ T12] binder: send failed reply for transaction 2322, target dead [ 434.510835][T22686] binder: 22685:22686 got transaction to invalid handle [ 434.593405][T22686] binder: 22685:22686 ioctl c0306201 200002c0 returned -14 [ 434.650645][T22692] binder_alloc: binder_alloc_mmap_handler: 22685 20001000-20004000 already mapped failed -16 [ 434.696003][T22686] binder: BINDER_SET_CONTEXT_MGR already set [ 434.733824][T22694] binder: 22685:22694 ioctl c0306201 200002c0 returned -14 [ 434.743506][T22686] binder: 22685:22686 ioctl 40046207 0 returned -16 [ 434.771965][T22692] binder_alloc: 22685: binder_alloc_buf, no vma [ 434.782638][ T12] binder: release 22685:22686 transaction 2333 out, still active [ 434.803127][ T12] binder: unexpected work type, 4, not freed [ 434.809220][ T12] binder: undelivered TRANSACTION_COMPLETE [ 434.820247][ T12] binder: send failed reply for transaction 2333, target dead 03:51:03 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000000)=0x4) socket$packet(0x11, 0x0, 0x300) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0) 03:51:03 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x700, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:03 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x100000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:03 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000011d, 0x0) 03:51:03 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000010b, 0x0) 03:51:03 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6c000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:03 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x200000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 434.979032][T22704] binder: 22701:22704 ioctl c0306201 200002c0 returned -14 03:51:03 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000011e, 0x0) 03:51:03 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xa00, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 435.051228][T22714] binder_alloc: binder_alloc_mmap_handler: 22701 20001000-20004000 already mapped failed -16 [ 435.090074][T22704] binder: BINDER_SET_CONTEXT_MGR already set [ 435.130461][T22720] binder_transaction: 50 callbacks suppressed [ 435.130479][T22720] binder: 22701:22720 transaction failed 29201/-22, size 24-8 line 2994 [ 435.163840][T22704] binder: 22701:22704 ioctl 40046207 0 returned -16 [ 435.170633][T22716] binder: 22715:22716 transaction failed 29189/-3, size 0-8 line 3147 [ 435.238643][T22714] binder: 22701:22714 transaction failed 29189/-3, size 24-8 line 3147 [ 435.250076][T22724] binder: 22721:22724 transaction failed 29189/-3, size 0-8 line 3147 03:51:04 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x300000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 435.290018][ T17] binder: release 22701:22704 transaction 2342 out, still active [ 435.302221][T22720] binder: 22701:22720 ioctl c0306201 200002c0 returned -14 [ 435.313186][ T17] binder: unexpected work type, 4, not freed 03:51:04 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4800, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 435.348448][ T17] binder: undelivered TRANSACTION_COMPLETE [ 435.391478][ T17] binder: send failed reply for transaction 2342, target dead [ 435.415104][T22729] binder: 22728:22729 transaction failed 29189/-22, size 0-8 line 2994 03:51:04 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x74000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 435.515185][T22731] binder: 22730:22731 transaction failed 29189/-22, size 0-8 line 2994 [ 435.568086][T22735] binder: 22734:22735 transaction failed 29201/-22, size 24-8 line 2994 [ 435.610126][T22735] binder: 22734:22735 ioctl c0306201 200002c0 returned -14 [ 435.619362][ T17] binder_release_work: 53 callbacks suppressed [ 435.619370][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 435.631144][T22738] binder_alloc: binder_alloc_mmap_handler: 22734 20001000-20004000 already mapped failed -16 [ 435.658601][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 435.712724][T22738] binder: 22734:22738 transaction failed 29189/-3, size 24-8 line 3147 [ 435.731383][T22735] binder: BINDER_SET_CONTEXT_MGR already set [ 435.733470][T22742] binder: 22734:22742 transaction failed 29201/-22, size 24-8 line 2994 [ 435.738986][T22735] binder: 22734:22735 ioctl 40046207 0 returned -16 [ 435.753560][T22742] binder: 22734:22742 ioctl c0306201 200002c0 returned -14 [ 435.761188][ T12] binder: release 22734:22735 transaction 2353 out, still active [ 435.776655][ T12] binder: unexpected work type, 4, not freed [ 435.783869][ T12] binder: undelivered TRANSACTION_COMPLETE [ 435.789930][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 435.802597][ T12] binder: undelivered TRANSACTION_ERROR: 29189 03:51:04 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000000)=0x4) socket$packet(0x11, 0x0, 0x300) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0) 03:51:04 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000010c, 0x0) 03:51:04 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x400000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:04 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4c00, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:04 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000011f, 0x0) 03:51:04 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7a000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 435.808974][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 435.825959][ T12] binder: send failed reply for transaction 2353, target dead [ 435.903100][T22752] binder: 22747:22752 got transaction with invalid offset (0, min 0 max 0) or object. [ 435.910594][T22754] binder: 22746:22754 got transaction with invalid offset (0, min 0 max 0) or object. [ 435.913822][T22745] binder: 22744:22745 transaction failed 29201/-22, size 24-8 line 2994 03:51:04 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x500000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 435.958815][T22745] binder: 22744:22745 ioctl c0306201 200002c0 returned -14 [ 435.998959][ T17] binder: undelivered TRANSACTION_ERROR: 29201 03:51:04 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000120, 0x0) 03:51:04 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6800, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 436.069009][T22763] binder_alloc: binder_alloc_mmap_handler: 22744 20001000-20004000 already mapped failed -16 [ 436.072436][ T12] binder: undelivered TRANSACTION_ERROR: 29201 03:51:04 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x600000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 436.179236][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 436.193174][T22745] binder: BINDER_SET_CONTEXT_MGR already set [ 436.242116][T22745] binder: 22744:22745 ioctl 40046207 0 returned -16 [ 436.293012][T22774] binder: 22744:22774 ioctl c0306201 200002c0 returned -14 [ 436.331351][ T17] binder: undelivered TRANSACTION_ERROR: 29189 03:51:05 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6c00, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:05 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x700000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 436.340537][ T17] binder: send failed reply for transaction 2362 to 22744:22745 [ 436.404723][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 436.451556][ T17] binder: undelivered TRANSACTION_COMPLETE 03:51:05 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000000)=0x4) socket$packet(0x11, 0x0, 0x300) 03:51:05 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x100000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:05 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000010d, 0x0) 03:51:05 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7400, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:05 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000121, 0x0) 03:51:05 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x800000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 436.813585][T22790] binder: 22789:22790 sending u0000000000000000 node 2376, cookie mismatch 0000000000000004 != 0000000000000000 [ 436.835474][T22795] binder: 22792:22795 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:05 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7a00, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 436.868010][T22790] binder: 22789:22790 ioctl c0306201 200002c0 returned -14 03:51:05 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000122, 0x0) [ 436.931598][T22805] binder_alloc: binder_alloc_mmap_handler: 22789 20001000-20004000 already mapped failed -16 [ 436.969649][T22807] binder_alloc_new_buf_locked: 8 callbacks suppressed 03:51:05 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xa00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 436.969657][T22807] binder_alloc: 22789: binder_alloc_buf, no vma [ 437.032241][T22790] binder: BINDER_SET_CONTEXT_MGR already set 03:51:05 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x1000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 437.081350][T22790] binder: 22789:22790 ioctl 40046207 0 returned -16 [ 437.107076][T22814] binder_alloc: 22789: binder_alloc_buf, no vma [ 437.132359][T22805] binder_alloc: 22789: binder_alloc_buf, no vma [ 437.169570][ T17] binder: release 22789:22790 transaction 2375 out, still active 03:51:06 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000010e, 0x0) [ 437.178374][T22813] binder_alloc: 22789: binder_alloc_buf, no vma [ 437.198667][ T17] binder: unexpected work type, 4, not freed [ 437.222412][T22813] binder: 22789:22813 ioctl c0306201 200002c0 returned -14 03:51:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 437.236345][T22818] binder_alloc: 22789: binder_alloc_buf, no vma [ 437.252125][ T17] binder: undelivered TRANSACTION_COMPLETE [ 437.258207][ T17] binder: send failed reply for transaction 2375, target dead 03:51:06 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000000)=0x4) 03:51:06 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000123, 0x0) 03:51:06 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x200000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:06 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x2000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4800000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:06 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000010f, 0x0) [ 437.734222][T22836] binder: 22835:22836 sending u0000000000000000 node 2390, cookie mismatch 0000000000000004 != 0000000000000000 03:51:06 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x3000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4c00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 437.840701][T22836] binder: 22835:22836 ioctl c0306201 200002c0 returned -14 [ 437.901117][T22850] binder_alloc: binder_alloc_mmap_handler: 22835 20001000-20004000 already mapped failed -16 [ 437.936041][T22849] binder_alloc: 22835: binder_alloc_buf, no vma [ 437.991105][T22836] binder: BINDER_SET_CONTEXT_MGR already set [ 438.021931][T22836] binder: 22835:22836 ioctl 40046207 0 returned -16 [ 438.028871][T22852] binder_alloc: 22835: binder_alloc_buf, no vma [ 438.060818][T22850] binder_alloc: 22835: binder_alloc_buf, no vma 03:51:06 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 438.102809][T22850] binder: 22835:22850 ioctl c0306201 200002c0 returned -14 [ 438.119807][ T12] binder: release 22835:22836 transaction 2389 out, still active [ 438.140747][ T12] binder: unexpected work type, 4, not freed 03:51:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6000000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:07 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x300000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 438.166485][ T12] binder: undelivered TRANSACTION_COMPLETE [ 438.202095][ T12] binder: send failed reply for transaction 2389, target dead 03:51:07 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000110, 0x0) [ 438.296929][T22864] binder: 22863:22864 sending u0000000000000000 node 2400, cookie mismatch 0000000000000004 != 0000000000000000 [ 438.372975][T22864] binder: 22863:22864 ioctl c0306201 200002c0 returned -14 [ 438.408357][T22871] binder_alloc: binder_alloc_mmap_handler: 22863 20001000-20004000 already mapped failed -16 [ 438.501147][T22864] binder: BINDER_SET_CONTEXT_MGR already set [ 438.513177][T22864] binder: 22863:22864 ioctl 40046207 0 returned -16 [ 438.520126][T22871] binder_alloc: 22863: binder_alloc_buf, no vma [ 438.530940][T22872] binder_alloc: 22863: binder_alloc_buf, no vma [ 438.539817][T22872] binder: 22863:22872 ioctl c0306201 200002c0 returned -14 [ 438.547181][ T12] binder: release 22863:22864 transaction 2399 out, still active [ 438.547191][ T12] binder: unexpected work type, 4, not freed [ 438.547210][ T12] binder: undelivered TRANSACTION_COMPLETE 03:51:07 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x5000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:07 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000124, 0x0) 03:51:07 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6800000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:07 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x400000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:07 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:07 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000111, 0x0) [ 438.629528][ T12] binder: send failed reply for transaction 2399, target dead [ 438.712735][T22882] binder: 22878:22882 got transaction with invalid offset (0, min 0 max 0) or object. [ 438.725667][T22884] binder: 22876:22884 got transaction with invalid offset (0, min 0 max 0) or object. [ 438.735579][T22881] binder: 22880:22881 sending u0000000000000000 node 2408, cookie mismatch 0000000000000004 != 0000000000000000 03:51:07 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6c00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 438.791981][T22881] binder: 22880:22881 ioctl c0306201 200002c0 returned -14 03:51:07 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 438.834692][T22890] binder_alloc: binder_alloc_mmap_handler: 22880 20001000-20004000 already mapped failed -16 03:51:07 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000125, 0x0) 03:51:07 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7400000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 438.981143][T22900] binder: BINDER_SET_CONTEXT_MGR already set [ 439.003988][T22900] binder: 22880:22900 ioctl 40046207 0 returned -16 03:51:07 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 439.065860][T22890] binder: 22880:22890 ioctl c0306201 200002c0 returned -14 [ 439.105386][ T12] binder: release 22880:22881 transaction 2407 out, still active 03:51:07 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000126, 0x0) [ 439.124120][ T12] binder: unexpected work type, 4, not freed 03:51:08 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x500000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:08 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7a00000000000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:08 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000112, 0x0) [ 439.165916][ T12] binder: undelivered TRANSACTION_COMPLETE [ 439.195967][ T12] binder: send failed reply for transaction 2407, target dead 03:51:08 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x8000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 439.318728][T22921] binder: 22917:22921 sending u0000000000000000 node 2420, cookie mismatch 0000000000000004 != 0000000000000000 [ 439.373269][T22924] binder: 22919:22924 got transaction with invalid offset (0, min 0 max 0) or object. [ 439.399981][T22926] binder: 22925:22926 got transaction with invalid offset (0, min 0 max 0) or object. [ 439.411112][T22921] binder: 22917:22921 ioctl c0306201 200002c0 returned -14 [ 439.441543][T22927] binder_alloc: binder_alloc_mmap_handler: 22917 20001000-20004000 already mapped failed -16 [ 439.487099][T22921] binder: BINDER_SET_CONTEXT_MGR already set [ 439.521205][T22921] binder: 22917:22921 ioctl 40046207 0 returned -16 [ 439.579565][T22930] binder: 22917:22930 ioctl c0306201 200002c0 returned -14 [ 439.613363][ T17] binder: release 22917:22921 transaction 2419 out, still active [ 439.627411][ T17] binder: unexpected work type, 4, not freed 03:51:08 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:08 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000127, 0x0) 03:51:08 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xfdfdffff00000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:08 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xa000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:08 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x600000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:08 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000113, 0x0) [ 439.651010][ T17] binder: undelivered TRANSACTION_COMPLETE [ 439.676638][ T17] binder: send failed reply for transaction 2419, target dead [ 439.783757][T22944] binder: 22939:22944 sending u0000000000000000 node 2431, cookie mismatch 0000000000000004 != 0000000000000000 [ 439.814484][T22944] binder: 22939:22944 ioctl c0306201 200002c0 returned -14 03:51:08 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x48000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:08 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 439.830027][T22950] binder_alloc: binder_alloc_mmap_handler: 22939 20001000-20004000 already mapped failed -16 [ 439.887380][T22944] binder: BINDER_SET_CONTEXT_MGR already set 03:51:08 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000128, 0x0) [ 439.929453][T22944] binder: 22939:22944 ioctl 40046207 0 returned -16 03:51:08 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 439.993127][T22956] binder: 22939:22956 ioctl c0306201 200002c0 returned -14 [ 440.050521][ T12] binder: release 22939:22944 transaction 2430 out, still active [ 440.067803][ T12] binder: unexpected work type, 4, not freed 03:51:08 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4c000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 440.107362][ T12] binder: undelivered TRANSACTION_COMPLETE [ 440.140981][ T12] binder: send failed reply for transaction 2430, target dead [ 440.150098][T22964] binder_transaction: 50 callbacks suppressed 03:51:08 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x700000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 440.150114][T22964] binder: 22962:22964 transaction failed 29189/-22, size 0-8 line 2994 [ 440.229590][T22968] binder: 22967:22968 transaction failed 29189/-22, size 0-8 line 2994 [ 440.314280][T22973] binder: 22969:22973 sending u0000000000000000 node 2442, cookie mismatch 0000000000000004 != 0000000000000000 [ 440.401884][T22973] binder: 22969:22973 transaction failed 29201/-22, size 24-8 line 3257 [ 440.414287][T22973] binder: 22969:22973 ioctl c0306201 200002c0 returned -14 [ 440.454358][T22977] binder_alloc: binder_alloc_mmap_handler: 22969 20001000-20004000 already mapped failed -16 [ 440.465322][T22973] binder: BINDER_SET_CONTEXT_MGR already set [ 440.472914][T22973] binder: 22969:22973 ioctl 40046207 0 returned -16 [ 440.474115][T22978] binder: 22969:22978 transaction failed 29189/-3, size 24-8 line 3147 [ 440.479801][T22977] binder: 22969:22977 transaction failed 29189/-3, size 24-8 line 3147 [ 440.497005][T22978] binder: 22969:22978 ioctl c0306201 200002c0 returned -14 [ 440.508717][ T17] binder: release 22969:22973 transaction 2441 out, still active [ 440.525664][ T17] binder: unexpected work type, 4, not freed [ 440.545922][ T17] binder: undelivered TRANSACTION_COMPLETE [ 440.561045][ T17] binder: send failed reply for transaction 2441, target dead 03:51:09 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:09 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000129, 0x0) 03:51:09 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:09 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x68000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:09 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000114, 0x0) 03:51:09 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x800000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 440.684134][T22985] binder: 22984:22985 transaction failed 29189/-22, size 0-8 line 2994 [ 440.693255][T22983] binder: 22982:22983 transaction failed 29189/-22, size 0-8 line 2994 [ 440.713720][T22987] binder: 22986:22987 sending u0000000000000000 node 2451, cookie mismatch 0000000000000004 != 0000000000000000 03:51:09 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 440.765752][T22987] binder: 22986:22987 transaction failed 29201/-22, size 24-8 line 3257 [ 440.780703][ T12] binder_release_work: 52 callbacks suppressed [ 440.780711][ T12] binder: undelivered TRANSACTION_ERROR: 29189 03:51:09 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6c000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:09 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000012a, 0x0) [ 440.814232][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 440.823659][T22987] binder: 22986:22987 ioctl c0306201 200002c0 returned -14 [ 440.896549][T22997] binder_alloc: binder_alloc_mmap_handler: 22986 20001000-20004000 already mapped failed -16 [ 440.938005][T22987] binder: BINDER_SET_CONTEXT_MGR already set [ 440.993229][T23001] binder: 23000:23001 transaction failed 29189/-3, size 0-8 line 3147 [ 441.001902][T23002] binder: 22998:23002 transaction failed 29189/-3, size 0-8 line 3147 [ 441.002148][T23004] binder: 22986:23004 ioctl c0306201 200002c0 returned -14 [ 441.011487][T22987] binder: 22986:22987 ioctl 40046207 0 returned -16 03:51:09 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:09 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000012b, 0x0) [ 441.074391][ T12] binder: release 22986:22987 transaction 2450 out, still active [ 441.090605][ T12] binder: unexpected work type, 4, not freed [ 441.108268][ T12] binder: undelivered TRANSACTION_COMPLETE 03:51:09 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x74000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 441.128537][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 441.166976][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 441.210679][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 441.245990][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 441.265663][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 441.295936][ T12] binder: send failed reply for transaction 2450, target dead [ 441.330198][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 441.364472][ T12] binder: undelivered TRANSACTION_ERROR: 29189 03:51:10 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:10 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000115, 0x0) 03:51:10 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0xa00000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:10 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:10 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7a000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:10 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000012c, 0x0) [ 441.612756][T23024] binder: 23023:23024 sending u0000000000000000 node 2462, cookie mismatch 0000000000000004 != 0000000000000000 [ 441.624054][T23032] binder: 23025:23032 got transaction with invalid offset (0, min 0 max 0) or object. [ 441.646758][T23033] binder: 23029:23033 got transaction with invalid offset (0, min 0 max 0) or object. [ 441.680034][T23024] binder: 23023:23024 ioctl c0306201 200002c0 returned -14 [ 441.703870][T23037] binder_alloc: binder_alloc_mmap_handler: 23023 20001000-20004000 already mapped failed -16 03:51:10 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:10 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000012d, 0x0) [ 441.732267][T23024] binder: BINDER_SET_CONTEXT_MGR already set [ 441.759698][T23024] binder: 23023:23024 ioctl 40046207 0 returned -16 [ 441.759704][ T17] binder: undelivered TRANSACTION_ERROR: 29201 03:51:10 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x100000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 441.875363][ T12] binder: release 23023:23024 transaction 2461 out, still active [ 441.898640][ T12] binder: unexpected work type, 4, not freed 03:51:10 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x1000000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:10 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 441.942026][ T12] binder: undelivered TRANSACTION_COMPLETE [ 441.981891][ T12] binder: send failed reply for transaction 2461, target dead 03:51:10 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x200000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 442.124021][T23053] binder: 23050:23053 sending u0000000000000000 node 2471, cookie mismatch 0000000000000004 != 0000000000000000 [ 442.126072][T23055] binder: 23054:23055 got transaction with invalid offset (0, min 0 max 0) or object. [ 442.183318][T23053] binder: 23050:23053 ioctl c0306201 200002c0 returned -14 [ 442.217939][T23059] binder_alloc: binder_alloc_mmap_handler: 23050 20001000-20004000 already mapped failed -16 [ 442.242173][T23058] binder_alloc_new_buf_locked: 22 callbacks suppressed [ 442.242181][T23058] binder_alloc: 23050: binder_alloc_buf, no vma [ 442.282139][T23053] binder: BINDER_SET_CONTEXT_MGR already set [ 442.293135][T23053] binder: 23050:23053 ioctl 40046207 0 returned -16 [ 442.311580][T23059] binder_alloc: 23050: binder_alloc_buf, no vma [ 442.328262][T23062] binder_alloc: 23050: binder_alloc_buf, no vma [ 442.337050][T23062] binder: 23050:23062 ioctl c0306201 200002c0 returned -14 [ 442.347131][ T12] binder: release 23050:23053 transaction 2470 out, still active [ 442.375336][ T12] binder: unexpected work type, 4, not freed [ 442.381357][ T12] binder: undelivered TRANSACTION_COMPLETE [ 442.436558][ T12] binder: send failed reply for transaction 2470, target dead 03:51:11 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:11 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000116, 0x0) 03:51:11 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x300000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:11 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000012e, 0x0) 03:51:11 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x48, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:11 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x2000000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 442.549069][T23074] binder: 23071:23074 sending u0000000000000000 node 2480, cookie mismatch 0000000000000004 != 0000000000000000 [ 442.564252][T23077] binder: 23068:23077 got transaction with invalid offset (0, min 0 max 0) or object. [ 442.566269][T23076] binder: 23067:23076 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:11 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4c, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 442.601571][T23074] binder: 23071:23074 ioctl c0306201 200002c0 returned -14 [ 442.668708][T23081] binder_alloc: binder_alloc_mmap_handler: 23071 20001000-20004000 already mapped failed -16 [ 442.714014][T23074] binder: BINDER_SET_CONTEXT_MGR already set [ 442.752137][T23083] binder_alloc: 23071: binder_alloc_buf, no vma [ 442.759751][T23074] binder: 23071:23074 ioctl 40046207 0 returned -16 03:51:11 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x400000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:11 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x60, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 442.860124][T23074] binder_alloc: 23071: binder_alloc_buf, no vma [ 442.939894][ T17] binder: release 23071:23074 transaction 2479 out, still active [ 442.950107][T23086] binder_alloc: 23071: binder_alloc_buf, no vma [ 442.967016][ T17] binder: unexpected work type, 4, not freed 03:51:11 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000012f, 0x0) [ 443.000972][T23090] binder_alloc: 23071: binder_alloc_buf, no vma [ 443.010519][ T17] binder: undelivered TRANSACTION_COMPLETE 03:51:11 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000117, 0x0) 03:51:11 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4800000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 443.051395][ T17] binder: send failed reply for transaction 2479, target dead [ 443.208320][T23103] binder: 23102:23103 sending u0000000000000000 node 2491, cookie mismatch 0000000000000004 != 0000000000000000 [ 443.246159][T23103] binder: 23102:23103 ioctl c0306201 200002c0 returned -14 03:51:12 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x68, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:12 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x500000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:12 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:12 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000130, 0x0) [ 443.280781][T23106] binder_alloc: binder_alloc_mmap_handler: 23102 20001000-20004000 already mapped failed -16 [ 443.316392][T23109] binder_alloc: 23102: binder_alloc_buf, no vma [ 443.356903][T23103] binder: BINDER_SET_CONTEXT_MGR already set [ 443.372008][T23110] binder_alloc: 23102: binder_alloc_buf, no vma [ 443.377477][T23103] binder: 23102:23103 ioctl 40046207 0 returned -16 03:51:12 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x600000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 443.431313][T23106] binder_alloc: 23102: binder_alloc_buf, no vma 03:51:12 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6c, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 443.481632][ T17] binder: release 23102:23103 transaction 2490 out, still active 03:51:12 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000131, 0x0) [ 443.522369][T23117] binder: 23102:23117 ioctl c0306201 200002c0 returned -14 [ 443.533037][ T17] binder: unexpected work type, 4, not freed 03:51:12 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000118, 0x0) 03:51:12 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x700000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 443.581529][ T17] binder: undelivered TRANSACTION_COMPLETE 03:51:12 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x4c00000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 443.623981][ T17] binder: send failed reply for transaction 2490, target dead 03:51:12 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x74, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 443.736867][T23138] binder: 23134:23138 sending u0000000000000000 node 2503, cookie mismatch 0000000000000004 != 0000000000000000 03:51:12 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x800000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 443.832250][T23138] binder: 23134:23138 ioctl c0306201 200002c0 returned -14 [ 443.844200][T23141] binder: 23140:23141 got transaction with invalid offset (0, min 0 max 0) or object. [ 443.880265][T23143] binder_alloc: binder_alloc_mmap_handler: 23134 20001000-20004000 already mapped failed -16 [ 443.950482][T23138] binder: BINDER_SET_CONTEXT_MGR already set [ 443.968479][T23138] binder: 23134:23138 ioctl 40046207 0 returned -16 03:51:12 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0xffd8) [ 443.996214][T23146] binder: 23134:23146 ioctl c0306201 200002c0 returned -14 03:51:12 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7a, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:12 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xa00000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 444.047889][ T17] binder: send failed reply for transaction 2502 to 23134:23138 03:51:12 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6800000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 444.107076][ T17] binder: undelivered TRANSACTION_COMPLETE 03:51:13 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000119, 0x0) 03:51:13 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000132, 0x0) 03:51:13 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x300, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 444.219242][T23161] binder: 23160:23161 sending u0000000000000000 node 2514, cookie mismatch 0000000000000004 != 0000000000000000 03:51:13 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4800000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 444.311126][T23161] binder: 23160:23161 ioctl c0306201 200002c0 returned -14 [ 444.381980][T23171] binder_alloc: binder_alloc_mmap_handler: 23160 20001000-20004000 already mapped failed -16 [ 444.417981][T23161] binder: BINDER_SET_CONTEXT_MGR already set [ 444.446690][T23161] binder: 23160:23161 ioctl 40046207 0 returned -16 03:51:13 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000133, 0x0) 03:51:13 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4c00000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:13 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x500, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 444.492066][T23171] binder: 23160:23171 ioctl c0306201 200002c0 returned -14 [ 444.588178][ T17] binder: send failed reply for transaction 2513 to 23160:23161 03:51:13 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x6c00000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:13 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x3, 0x7) setsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0xffd8) [ 444.637649][ T17] binder: undelivered TRANSACTION_COMPLETE 03:51:13 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6800000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:13 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000011a, 0x0) 03:51:13 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x600, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:13 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000134, 0x0) 03:51:13 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x3, 0x7) setsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0xffd8) [ 444.821621][T23192] binder: 23191:23192 sending u0000000000000000 node 2524, cookie mismatch 0000000000000004 != 0000000000000000 [ 444.838950][T23199] binder: 23198:23199 got transaction with invalid offset (0, min 0 max 0) or object. [ 444.870850][T23204] binder: 23201:23204 got transaction with invalid offset (0, min 0 max 0) or object. [ 444.879069][T23192] binder: 23191:23192 ioctl c0306201 200002c0 returned -14 [ 444.929708][T23208] binder_alloc: binder_alloc_mmap_handler: 23191 20001000-20004000 already mapped failed -16 [ 444.968172][T23192] binder: BINDER_SET_CONTEXT_MGR already set 03:51:13 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000135, 0x0) 03:51:13 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6c00000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 445.001997][T23192] binder: 23191:23192 ioctl 40046207 0 returned -16 [ 445.002893][T23212] binder: 23191:23212 ioctl c0306201 200002c0 returned -14 03:51:13 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = socket$inet6(0xa, 0x3, 0x7) setsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:13 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x700, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 445.052111][ T17] binder: release 23191:23192 transaction 2523 out, still active [ 445.060129][ T17] binder: unexpected work type, 4, not freed [ 445.095512][ T17] binder: undelivered TRANSACTION_COMPLETE 03:51:13 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7400000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 445.164599][ T17] binder: send failed reply for transaction 2523, target dead 03:51:14 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000011b, 0x0) [ 445.216001][T23225] binder_transaction: 48 callbacks suppressed [ 445.216017][T23225] binder: 23222:23225 transaction failed 29189/-22, size 0-8 line 2994 03:51:14 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7400000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:14 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) connect$inet6(0xffffffffffffffff, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(0xffffffffffffffff, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:14 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000136, 0x0) 03:51:14 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xa00, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 445.317529][T23231] binder: 23228:23231 sending u0000000000000000 node 2535, cookie mismatch 0000000000000004 != 0000000000000000 [ 445.402239][T23236] binder: 23235:23236 got transaction with invalid offset (0, min 0 max 0) or object. [ 445.428801][T23231] binder: 23228:23231 transaction failed 29201/-22, size 24-8 line 3257 03:51:14 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) connect$inet6(0xffffffffffffffff, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(0xffffffffffffffff, &(0x7f0000000480), 0x2e9, 0xffd8) [ 445.478037][T23231] binder: 23228:23231 ioctl c0306201 200002c0 returned -14 [ 445.487127][T23245] binder: 23244:23245 got transaction with invalid offset (0, min 0 max 0) or object. [ 445.488879][T23236] binder: 23235:23236 transaction failed 29201/-22, size 0-8 line 3241 [ 445.510852][T23245] binder: 23244:23245 transaction failed 29201/-22, size 0-8 line 3241 03:51:14 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000137, 0x0) [ 445.549121][T23248] binder_alloc: binder_alloc_mmap_handler: 23228 20001000-20004000 already mapped failed -16 03:51:14 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7a00000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:14 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x2000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:14 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000011c, 0x0) [ 445.630282][T23231] binder: BINDER_SET_CONTEXT_MGR already set 03:51:14 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) connect$inet6(0xffffffffffffffff, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(0xffffffffffffffff, &(0x7f0000000480), 0x2e9, 0xffd8) [ 445.720721][T23231] binder: 23228:23231 ioctl 40046207 0 returned -16 [ 445.731944][T23248] binder: 23228:23248 transaction failed 29189/-3, size 24-8 line 3147 [ 445.764091][ T12] binder: send failed reply for transaction 2534 to 23228:23231 [ 445.782200][T23254] binder: 23228:23254 transaction failed 29189/-3, size 24-8 line 3147 [ 445.790502][T23254] binder: 23228:23254 ioctl c0306201 200002c0 returned -14 [ 445.801824][ T12] binder_release_work: 47 callbacks suppressed [ 445.801831][ T12] binder: undelivered TRANSACTION_ERROR: 29189 03:51:14 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x7a00000000000000, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:14 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000138, 0x0) [ 445.844457][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 445.850714][ T12] binder: undelivered TRANSACTION_COMPLETE [ 445.874017][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 445.880210][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 445.896068][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 445.961572][T23273] binder: 23271:23273 transaction failed 29189/-22, size 0-8 line 2994 [ 445.976073][T23265] binder: 23264:23265 transaction failed 29189/-22, size 0-8 line 2994 [ 445.988425][T23275] binder: 23270:23275 sending u0000000000000000 node 2546, cookie mismatch 0000000000000004 != 0000000000000000 03:51:14 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) r1 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:14 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 446.008253][T23275] binder: 23270:23275 transaction failed 29201/-22, size 24-8 line 3257 [ 446.027418][T23275] binder: 23270:23275 ioctl c0306201 200002c0 returned -14 [ 446.042101][ T17] binder: undelivered TRANSACTION_ERROR: 29189 03:51:14 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4800, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 446.089036][T23278] binder_alloc: binder_alloc_mmap_handler: 23270 20001000-20004000 already mapped failed -16 [ 446.107108][T23275] binder: BINDER_SET_CONTEXT_MGR already set [ 446.138409][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 446.147700][T23278] binder: 23270:23278 transaction failed 29189/-3, size 24-8 line 3147 03:51:15 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x25, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 446.207635][ T17] binder: release 23270:23275 transaction 2545 out, still active [ 446.216206][T23275] binder: 23270:23275 ioctl 40046207 0 returned -16 [ 446.230272][ T17] binder: unexpected work type, 4, not freed [ 446.258869][ T17] binder: undelivered TRANSACTION_COMPLETE [ 446.302123][ T17] binder: undelivered TRANSACTION_ERROR: 29201 03:51:15 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4c00, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:15 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x2, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:15 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000139, 0x0) [ 446.346331][ T17] binder: undelivered TRANSACTION_ERROR: 29189 03:51:15 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000011d, 0x0) 03:51:15 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x63, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 446.448206][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 446.467755][T23301] binder: BINDER_SET_CONTEXT_MGR already set [ 446.529098][T23301] binder: 23297:23301 ioctl 40046207 0 returned -16 [ 446.529613][T23307] binder: 23297:23307 ioctl c0306201 200002c0 returned -14 [ 446.543596][ T17] binder: send failed reply for transaction 2545, target dead 03:51:15 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000013a, 0x0) 03:51:15 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x300, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:15 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) r1 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:15 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 446.611679][T23307] binder_alloc: binder_alloc_mmap_handler: 23297 20001000-20004000 already mapped failed -16 [ 446.699634][T23319] binder: 23297:23319 ioctl c0306201 200002c0 returned -14 03:51:15 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x3c1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:15 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x3, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:15 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6800, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:15 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000011e, 0x0) 03:51:15 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000013b, 0x0) 03:51:15 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0xffffff1f, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 446.925674][T23332] binder: 23330:23332 sending u0000000000000000 node 2564, cookie mismatch 0000000000000004 != 0000000000000000 [ 446.982171][T23332] binder: 23330:23332 ioctl c0306201 200002c0 returned -14 [ 446.998396][T23339] binder: 23333:23339 got transaction with invalid offset (0, min 0 max 0) or object. [ 447.045461][T23341] binder: 23338:23341 got transaction with invalid offset (0, min 0 max 0) or object. [ 447.060875][T23342] binder_alloc: binder_alloc_mmap_handler: 23330 20001000-20004000 already mapped failed -16 03:51:15 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6c00, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:15 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000013c, 0x0) 03:51:15 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x2, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 447.107766][T23332] binder: BINDER_SET_CONTEXT_MGR already set 03:51:15 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) r1 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r1, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r1, &(0x7f0000000480), 0x2e9, 0xffd8) [ 447.223166][T23351] binder: 23330:23351 ioctl c0306201 200002c0 returned -14 [ 447.227417][T23332] binder: 23330:23332 ioctl 40046207 0 returned -16 [ 447.253749][T23353] binder_alloc_new_buf_locked: 22 callbacks suppressed [ 447.253758][T23353] binder_alloc: 23330: binder_alloc_buf, no vma [ 447.283807][ T12] binder: release 23330:23332 transaction 2563 out, still active [ 447.291615][ T12] binder: unexpected work type, 4, not freed 03:51:16 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 447.333442][ T12] binder: undelivered TRANSACTION_COMPLETE [ 447.339520][ T12] binder: send failed reply for transaction 2563, target dead [ 447.349884][T23357] binder_alloc: 23330: binder_alloc_buf, no vma 03:51:16 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7400, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:16 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000011f, 0x0) 03:51:16 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000013d, 0x0) 03:51:16 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x3, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:16 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) socket$packet(0x11, 0x0, 0x300) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:16 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7a00, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 447.541151][T23369] binder: 23361:23369 sending u0000000000000000 node 2576, cookie mismatch 0000000000000004 != 0000000000000000 [ 447.568142][T23373] binder: 23372:23373 got transaction with invalid offset (0, min 0 max 0) or object. [ 447.637182][T23369] binder: 23361:23369 ioctl c0306201 200002c0 returned -14 [ 447.712247][T23381] binder_alloc: binder_alloc_mmap_handler: 23361 20001000-20004000 already mapped failed -16 [ 447.728518][T23382] binder_alloc: 23361: binder_alloc_buf, no vma 03:51:16 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x4, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:16 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000013e, 0x0) [ 447.758023][T23369] binder: BINDER_SET_CONTEXT_MGR already set [ 447.790104][T23369] binder: 23361:23369 ioctl 40046207 0 returned -16 03:51:16 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x1000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 447.894684][T23388] binder_alloc: 23361: binder_alloc_buf, no vma 03:51:16 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000120, 0x0) [ 447.938084][T23369] binder_alloc: 23361: binder_alloc_buf, no vma [ 447.977368][T23381] binder_alloc: 23361: binder_alloc_buf, no vma 03:51:16 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x5, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 448.011596][ T12] binder: release 23361:23369 transaction 2575 out, still active [ 448.020227][T23395] binder_alloc: 23361: binder_alloc_buf, no vma [ 448.030534][T23381] binder: 23361:23381 ioctl c0306201 200002c0 returned -14 [ 448.041072][ T12] binder: unexpected work type, 4, not freed [ 448.098145][ T12] binder: undelivered TRANSACTION_COMPLETE [ 448.135591][ T12] binder: send failed reply for transaction 2575, target dead 03:51:16 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x5, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:16 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000013f, 0x0) 03:51:16 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:17 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x6, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 448.352170][T23409] binder: 23407:23409 ioctl c0306201 200002c0 returned -14 03:51:17 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x3000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 448.466552][T23412] binder: 23407:23412 ioctl c0306201 200002c0 returned -14 03:51:17 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:17 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x7, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:17 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:17 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000121, 0x0) 03:51:17 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:17 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000140, 0x0) 03:51:17 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x8, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 448.730869][T23435] binder: 23427:23435 sending u0000000000000000 node 2596, cookie mismatch 0000000000000004 != 0000000000000000 [ 448.739928][T23434] binder: 23431:23434 got transaction with invalid offset (0, min 0 max 0) or object. [ 448.822805][T23435] binder: 23427:23435 ioctl c0306201 200002c0 returned -14 [ 448.849717][T23441] binder: 23440:23441 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:17 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x5000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 448.867533][T23443] binder_alloc: binder_alloc_mmap_handler: 23427 20001000-20004000 already mapped failed -16 03:51:17 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0xa, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 448.932524][T23435] binder: BINDER_SET_CONTEXT_MGR already set 03:51:17 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000141, 0x0) [ 448.973110][T23435] binder: 23427:23435 ioctl 40046207 0 returned -16 [ 448.983944][T23447] binder_alloc: 23427: binder_alloc_buf, no vma [ 449.028893][T23443] binder_alloc: 23427: binder_alloc_buf, no vma [ 449.072160][ T22] binder: release 23427:23435 transaction 2594 out, still active [ 449.080712][T23435] binder_alloc: 23427: binder_alloc_buf, no vma [ 449.092643][ T22] binder: unexpected work type, 4, not freed [ 449.111388][T23443] binder: 23427:23443 ioctl c0306201 200002c0 returned -14 03:51:17 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000122, 0x0) 03:51:17 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 449.120080][ T22] binder: undelivered TRANSACTION_COMPLETE [ 449.161103][ T22] binder: send failed reply for transaction 2594, target dead 03:51:18 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:18 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x48, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:18 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:18 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:18 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000142, 0x0) 03:51:18 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000123, 0x0) [ 449.697880][T23477] binder: 23473:23477 sending u0000000000000000 node 2607, cookie mismatch 0000000000000004 != 0000000000000000 [ 449.712327][T23475] binder: 23470:23475 got transaction with invalid offset (0, min 0 max 0) or object. [ 449.716876][T23477] binder: 23473:23477 ioctl c0306201 200002c0 returned -14 [ 449.724636][T23474] binder: 23472:23474 got transaction with invalid offset (0, min 0 max 0) or object. [ 449.734440][T23479] binder_alloc: binder_alloc_mmap_handler: 23473 20001000-20004000 already mapped failed -16 [ 449.749802][T23477] binder: BINDER_SET_CONTEXT_MGR already set [ 449.756765][T23477] binder: 23473:23477 ioctl 40046207 0 returned -16 [ 449.769890][T23480] binder: 23473:23480 ioctl c0306201 200002c0 returned -14 [ 449.797096][ T22] binder: release 23473:23477 transaction 2606 out, still active [ 449.825876][ T22] binder: unexpected work type, 4, not freed 03:51:18 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x8, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:18 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x8000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 449.863889][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:18 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x4c, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 449.913182][ T22] binder: send failed reply for transaction 2606, target dead [ 450.068869][T23487] binder: 23486:23487 sending u0000000000000000 node 2616, cookie mismatch 0000000000000004 != 0000000000000000 [ 450.083759][T23490] binder: 23485:23490 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:18 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000143, 0x0) [ 450.112015][T23487] binder: 23486:23487 ioctl c0306201 200002c0 returned -14 [ 450.160333][T23494] binder: 23488:23494 got transaction with invalid offset (0, min 0 max 0) or object. [ 450.198127][T23498] binder_alloc: binder_alloc_mmap_handler: 23486 20001000-20004000 already mapped failed -16 03:51:19 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xa000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:19 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000124, 0x0) [ 450.240572][T23494] binder_transaction: 49 callbacks suppressed [ 450.240593][T23494] binder: 23488:23494 transaction failed 29201/-22, size 0-8 line 3241 [ 450.244047][T23487] binder: BINDER_SET_CONTEXT_MGR already set [ 450.338572][T23504] binder: 23486:23504 transaction failed 29189/-3, size 24-8 line 3147 [ 450.361906][T23503] binder: 23486:23503 transaction failed 29189/-3, size 24-8 line 3147 [ 450.382460][T23501] binder: 23500:23501 transaction failed 29189/-3, size 0-8 line 3147 [ 450.392824][ T12] binder: release 23486:23487 transaction 2615 out, still active [ 450.414001][ T12] binder: unexpected work type, 4, not freed [ 450.417433][T23487] binder: 23486:23487 ioctl 40046207 0 returned -16 [ 450.442655][T23504] binder: 23486:23504 ioctl c0306201 200002c0 returned -14 [ 450.461991][ T12] binder: undelivered TRANSACTION_COMPLETE [ 450.497357][ T12] binder: send failed reply for transaction 2615, target dead 03:51:19 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x20000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:19 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x68, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:19 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xa, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:19 executing program 3: perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:19 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000144, 0x0) [ 450.741924][T23514] binder: 23513:23514 sending u0000000000000000 node 2626, cookie mismatch 0000000000000004 != 0000000000000000 [ 450.768507][T23516] binder: 23515:23516 got transaction with invalid offset (0, min 0 max 0) or object. [ 450.784039][T23519] binder: 23517:23519 transaction failed 29201/-22, size 0-8 line 3241 03:51:19 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x6c, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 450.811583][T23514] binder: 23513:23514 transaction failed 29201/-22, size 24-8 line 3257 [ 450.820591][T23516] binder: 23515:23516 transaction failed 29201/-22, size 0-8 line 3241 [ 450.840858][ T22] binder_release_work: 52 callbacks suppressed [ 450.840867][ T22] binder: undelivered TRANSACTION_ERROR: 29201 [ 450.853917][T23514] binder: 23513:23514 ioctl c0306201 200002c0 returned -14 [ 450.906636][T23525] binder_alloc: binder_alloc_mmap_handler: 23513 20001000-20004000 already mapped failed -16 03:51:19 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x48000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:19 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000125, 0x0) [ 450.951975][T23514] binder: BINDER_SET_CONTEXT_MGR already set [ 450.962578][T23527] binder: 23526:23527 transaction failed 29189/-3, size 0-8 line 3147 [ 450.970901][ T22] binder: undelivered TRANSACTION_ERROR: 29201 [ 450.988683][T23514] binder: 23513:23514 ioctl 40046207 0 returned -16 [ 451.028993][T23525] binder: 23513:23525 transaction failed 29189/-3, size 24-8 line 3147 [ 451.069122][T23533] binder: 23532:23533 transaction failed 29189/-3, size 0-8 line 3147 03:51:19 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x74, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 451.082014][ T22] binder: release 23513:23514 transaction 2625 out, still active [ 451.089825][ T22] binder: unexpected work type, 4, not freed 03:51:19 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x10, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 451.138079][ T22] binder: undelivered TRANSACTION_COMPLETE [ 451.157598][ T22] binder: undelivered TRANSACTION_ERROR: 29201 03:51:20 executing program 3: perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 451.188082][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 451.219600][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 451.227137][T23543] binder: BINDER_SET_CONTEXT_MGR already set 03:51:20 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4c000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:20 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x7a, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 451.251999][T23543] binder: 23542:23543 ioctl 40046207 0 returned -16 [ 451.270942][ T22] binder: send failed reply for transaction 2625, target dead 03:51:20 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000145, 0x0) [ 451.310055][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 451.320699][T23543] binder: 23542:23543 ioctl c0306201 200002c0 returned -14 [ 451.354433][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 451.398412][T23553] binder_alloc: binder_alloc_mmap_handler: 23542 20001000-20004000 already mapped failed -16 03:51:20 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x60000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 451.449222][T23553] binder: 23542:23553 ioctl c0306201 200002c0 returned -14 [ 451.478940][ T22] binder: undelivered TRANSACTION_ERROR: 29189 03:51:20 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x300, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 451.508201][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 451.515789][ T12] binder: undelivered TRANSACTION_ERROR: 29189 03:51:20 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x48, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:20 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x68000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:20 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000126, 0x0) 03:51:20 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x500, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:20 executing program 3: perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 451.804896][T23570] binder: 23569:23570 sending u0000000000000000 node 2646, cookie mismatch 0000000000000004 != 0000000000000000 03:51:20 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000146, 0x0) 03:51:20 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6c000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 451.895774][T23570] binder: 23569:23570 ioctl c0306201 200002c0 returned -14 03:51:20 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x600, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 451.964673][T23586] binder_alloc: binder_alloc_mmap_handler: 23569 20001000-20004000 already mapped failed -16 [ 452.033553][T23586] binder: 23569:23586 ioctl c0306201 200002c0 returned -14 [ 452.063946][T23590] binder: BINDER_SET_CONTEXT_MGR already set 03:51:20 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x74000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:20 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x700, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 452.102153][T23590] binder: 23569:23590 ioctl 40046207 0 returned -16 [ 452.112414][ T12] binder: release 23569:23570 transaction 2645 out, still active [ 452.120147][ T12] binder: unexpected work type, 4, not freed 03:51:20 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000147, 0x0) [ 452.163165][ T12] binder: undelivered TRANSACTION_COMPLETE [ 452.204358][ T12] binder: send failed reply for transaction 2645, target dead 03:51:21 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7a000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:21 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4c, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:21 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000127, 0x0) 03:51:21 executing program 3: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:21 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0xa00, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 452.363458][T23607] binder: 23606:23607 sending u0000000000000000 node 2658, cookie mismatch 0000000000000004 != 0000000000000000 [ 452.416841][T23610] binder_transaction: 2 callbacks suppressed [ 452.416855][T23610] binder: 23608:23610 got transaction with invalid offset (0, min 0 max 0) or object. [ 452.478129][T23607] binder: 23606:23607 ioctl c0306201 200002c0 returned -14 [ 452.497724][T23616] binder: 23615:23616 got transaction with invalid offset (0, min 0 max 0) or object. [ 452.506079][T23619] binder_alloc: binder_alloc_mmap_handler: 23606 20001000-20004000 already mapped failed -16 03:51:21 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xfdfdffff, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 452.540048][T23607] binder: BINDER_SET_CONTEXT_MGR already set [ 452.589258][T23607] binder: 23606:23607 ioctl 40046207 0 returned -16 [ 452.607936][T23622] binder_alloc_new_buf_locked: 16 callbacks suppressed [ 452.607944][T23622] binder_alloc: 23606: binder_alloc_buf, no vma 03:51:21 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x4800, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:21 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000148, 0x0) [ 452.636117][ T22] binder: release 23606:23607 transaction 2657 out, still active [ 452.655044][ T22] binder: unexpected work type, 4, not freed [ 452.673650][T23619] binder_alloc: 23606: binder_alloc_buf, no vma [ 452.702813][ T22] binder: undelivered TRANSACTION_COMPLETE [ 452.742027][ T22] binder: send failed reply for transaction 2657, target dead 03:51:21 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xfffffdfd, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:21 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x68, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:21 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000128, 0x0) 03:51:21 executing program 3: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:21 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x4c00, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 452.974020][T23640] binder: 23636:23640 sending u0000000000000000 node 2669, cookie mismatch 0000000000000004 != 0000000000000000 03:51:21 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x100000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 453.032097][T23640] binder: 23636:23640 ioctl c0306201 200002c0 returned -14 [ 453.074872][T23647] binder: 23644:23647 got transaction with invalid offset (0, min 0 max 0) or object. [ 453.086308][T23649] binder_alloc: binder_alloc_mmap_handler: 23636 20001000-20004000 already mapped failed -16 [ 453.111932][T23650] binder_alloc: 23636: binder_alloc_buf, no vma [ 453.153123][T23640] binder: BINDER_SET_CONTEXT_MGR already set [ 453.182599][T23640] binder: 23636:23640 ioctl 40046207 0 returned -16 [ 453.194436][T23651] binder_alloc: 23636: binder_alloc_buf, no vma 03:51:22 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x6800, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:22 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000149, 0x0) [ 453.258178][ T22] binder: release 23636:23640 transaction 2668 out, still active [ 453.264534][T23652] binder_alloc: 23636: binder_alloc_buf, no vma [ 453.281897][ T22] binder: unexpected work type, 4, not freed 03:51:22 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x200000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 453.302968][T23652] binder: 23636:23652 ioctl c0306201 200002c0 returned -14 [ 453.318833][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:22 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000129, 0x0) 03:51:22 executing program 3: perf_event_open(&(0x7f000001d000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:22 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6c, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 453.356573][ T22] binder: send failed reply for transaction 2668, target dead 03:51:22 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x6c00, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:22 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x7400, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 453.526246][T23674] binder: 23669:23674 sending u0000000000000000 node 2681, cookie mismatch 0000000000000004 != 0000000000000000 03:51:22 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000014a, 0x0) 03:51:22 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x300000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 453.582607][T23674] binder: 23669:23674 ioctl c0306201 200002c0 returned -14 [ 453.626241][T23683] binder_alloc: binder_alloc_mmap_handler: 23669 20001000-20004000 already mapped failed -16 [ 453.677744][T23681] binder_alloc: 23669: binder_alloc_buf, no vma [ 453.698559][T23674] binder: BINDER_SET_CONTEXT_MGR already set 03:51:22 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000014b, 0x0) 03:51:22 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x400000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 453.766051][T23674] binder: 23669:23674 ioctl 40046207 0 returned -16 [ 453.766831][T23683] binder_alloc: 23669: binder_alloc_buf, no vma [ 453.822545][T23688] binder_alloc: 23669: binder_alloc_buf, no vma [ 453.831882][ T22] binder: send failed reply for transaction 2680 to 23669:23674 [ 453.841365][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:22 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000012a, 0x0) 03:51:22 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x7a00, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 453.869853][T23687] binder_alloc: 23669: binder_alloc_buf, no vma [ 453.891522][T23688] binder: 23669:23688 ioctl c0306201 200002c0 returned -14 03:51:22 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:22 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x500000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:22 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x74, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:22 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000014c, 0x0) 03:51:22 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x1000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 454.148178][T23712] binder: 23710:23712 sending u0000000000000000 node 2693, cookie mismatch 0000000000000004 != 0000000000000000 03:51:23 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x600000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 454.202380][T23712] binder: 23710:23712 ioctl c0306201 200002c0 returned -14 [ 454.266951][T23719] binder_alloc: binder_alloc_mmap_handler: 23710 20001000-20004000 already mapped failed -16 [ 454.284862][T23720] binder_alloc: 23710: binder_alloc_buf, no vma [ 454.302100][T23712] binder: BINDER_SET_CONTEXT_MGR already set [ 454.310323][T23712] binder: 23710:23712 ioctl 40046207 0 returned -16 03:51:23 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000012b, 0x0) [ 454.343732][T23722] binder: 23710:23722 ioctl c0306201 200002c0 returned -14 03:51:23 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x700000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:23 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x2000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 454.390116][ T22] binder: release 23710:23712 transaction 2692 out, still active [ 454.415255][ T22] binder: unexpected work type, 4, not freed 03:51:23 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000014d, 0x0) 03:51:23 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7a, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:23 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 454.453962][ T22] binder: undelivered TRANSACTION_COMPLETE [ 454.483986][ T22] binder: send failed reply for transaction 2692, target dead [ 454.595243][T23740] binder: 23737:23740 sending u0000000000000000 node 2703, cookie mismatch 0000000000000004 != 0000000000000000 [ 454.627023][T23744] binder: 23743:23744 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:23 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x800000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 454.647698][T23740] binder: 23737:23740 ioctl c0306201 200002c0 returned -14 03:51:23 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000014e, 0x0) [ 454.689019][T23747] binder_alloc: binder_alloc_mmap_handler: 23737 20001000-20004000 already mapped failed -16 03:51:23 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x3000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 454.738283][T23740] binder: BINDER_SET_CONTEXT_MGR already set [ 454.773476][T23740] binder: 23737:23740 ioctl 40046207 0 returned -16 03:51:23 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xa00000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 454.821334][T23756] binder: 23737:23756 ioctl c0306201 200002c0 returned -14 [ 454.868126][ T22] binder: send failed reply for transaction 2702 to 23737:23740 [ 454.885554][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:23 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:23 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x4000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:23 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000012c, 0x0) 03:51:23 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x300, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:23 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x2000000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:23 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x5000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 455.126971][T23773] binder: 23770:23773 sending u0000000000000000 node 2715, cookie mismatch 0000000000000004 != 0000000000000000 [ 455.144186][T23775] binder: 23772:23775 got transaction with invalid offset (0, min 0 max 0) or object. [ 455.201233][T23773] binder: 23770:23773 ioctl c0306201 200002c0 returned -14 03:51:24 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4800000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 455.255386][T23781] binder_alloc: binder_alloc_mmap_handler: 23770 20001000-20004000 already mapped failed -16 [ 455.266224][T23780] binder_transaction: 56 callbacks suppressed [ 455.266244][T23780] binder: 23778:23780 transaction failed 29189/-3, size 0-8 line 3147 03:51:24 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000014f, 0x0) [ 455.322300][T23773] binder: BINDER_SET_CONTEXT_MGR already set 03:51:24 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x6000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 455.365882][T23773] binder: 23770:23773 ioctl 40046207 0 returned -16 [ 455.366124][T23785] binder: 23770:23785 transaction failed 29189/-3, size 24-8 line 3147 [ 455.432831][ T12] binder: release 23770:23773 transaction 2714 out, still active [ 455.439718][T23781] binder: 23770:23781 transaction failed 29189/-3, size 24-8 line 3147 [ 455.440629][ T12] binder: unexpected work type, 4, not freed [ 455.440638][ T12] binder: undelivered TRANSACTION_COMPLETE [ 455.442655][T23785] binder: 23770:23785 ioctl c0306201 200002c0 returned -14 [ 455.449149][T23786] binder: 23783:23786 transaction failed 29189/-3, size 0-8 line 3147 [ 455.466783][ T12] binder: send failed reply for transaction 2714, target dead [ 455.489153][T23791] binder: 23790:23791 transaction failed 29189/-22, size 0-8 line 2994 03:51:24 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x7000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:24 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x4c00000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:24 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000012d, 0x0) 03:51:24 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x500, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:24 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 455.650917][T23800] binder: 23796:23800 transaction failed 29189/-22, size 0-8 line 2994 03:51:24 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x8000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:24 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000150, 0x0) [ 455.756263][T23808] binder: 23803:23808 transaction failed 29189/-22, size 0-8 line 2994 [ 455.793265][T23810] binder: 23807:23810 sending u0000000000000000 node 2728, cookie mismatch 0000000000000004 != 0000000000000000 [ 455.848103][T23810] binder: 23807:23810 transaction failed 29201/-22, size 24-8 line 3257 [ 455.865539][T23810] binder: 23807:23810 ioctl c0306201 200002c0 returned -14 [ 455.883940][T23815] binder_alloc: binder_alloc_mmap_handler: 23807 20001000-20004000 already mapped failed -16 [ 455.894422][T23814] binder: 23811:23814 transaction failed 29189/-3, size 0-8 line 3147 [ 455.913053][T23810] binder: BINDER_SET_CONTEXT_MGR already set [ 455.930525][T23810] binder: 23807:23810 ioctl 40046207 0 returned -16 [ 455.948208][T23815] binder: 23807:23815 transaction failed 29189/-3, size 24-8 line 3147 [ 455.969891][T23816] binder: 23807:23816 ioctl c0306201 200002c0 returned -14 [ 455.972326][ T12] binder_release_work: 60 callbacks suppressed [ 455.972334][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 456.021827][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 456.048902][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 456.069518][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 456.090397][ T12] binder: send failed reply for transaction 2727 to 23807:23810 [ 456.113408][ T12] binder: undelivered TRANSACTION_COMPLETE 03:51:24 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000151, 0x0) 03:51:24 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x600, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:24 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0xa000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:24 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6000000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:24 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000012e, 0x0) [ 456.119998][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 456.136989][ T12] binder: undelivered TRANSACTION_ERROR: 29189 03:51:24 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 456.242974][T23833] binder: 23824:23833 sending u0000000000000000 node 2738, cookie mismatch 0000000000000004 != 0000000000000000 03:51:25 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000152, 0x0) 03:51:25 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x48000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:25 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6800000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 456.300492][T23833] binder: 23824:23833 ioctl c0306201 200002c0 returned -14 [ 456.323041][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 456.332385][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 456.370846][T23843] binder_alloc: binder_alloc_mmap_handler: 23824 20001000-20004000 already mapped failed -16 [ 456.442914][T23843] binder: 23824:23843 ioctl c0306201 200002c0 returned -14 [ 456.479695][ T12] binder: release 23824:23833 transaction 2737 out, still active 03:51:25 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x4c000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 456.502464][ T12] binder: unexpected work type, 4, not freed [ 456.508666][ T12] binder: undelivered TRANSACTION_COMPLETE 03:51:25 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x6c00000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:25 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x700, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:25 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000153, 0x0) 03:51:25 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000012f, 0x0) [ 456.571462][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 456.583484][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 456.601921][ T12] binder: send failed reply for transaction 2737, target dead 03:51:25 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x0, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 456.686235][T23864] binder: 23854:23864 ioctl c0306201 200002c0 returned -14 03:51:25 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xa00, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:25 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x68000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:25 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7400000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:25 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000154, 0x0) [ 456.934308][T23884] binder: 23878:23884 sending u0000000000000000 node 2751, cookie mismatch 0000000000000004 != 0000000000000000 [ 456.941053][T23885] binder: 23883:23885 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:25 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x6c000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:25 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x0, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 456.981910][T23884] binder: 23878:23884 ioctl c0306201 200002c0 returned -14 [ 457.037197][T23891] binder_alloc: binder_alloc_mmap_handler: 23878 20001000-20004000 already mapped failed -16 03:51:25 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7a00000000000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 457.100917][T23884] binder: BINDER_SET_CONTEXT_MGR already set 03:51:26 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x74000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 457.147627][T23884] binder: 23878:23884 ioctl 40046207 0 returned -16 [ 457.148668][T23895] binder: 23878:23895 ioctl c0306201 200002c0 returned -14 [ 457.161928][ T22] binder: send failed reply for transaction 2750 to 23878:23884 [ 457.169629][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:26 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000130, 0x0) 03:51:26 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x2000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:26 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000155, 0x0) 03:51:26 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x0, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:26 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0xfdfdffff00000000, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:26 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x7a000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:26 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x0) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 457.491106][T23924] binder: 23919:23924 sending u0000000000000000 node 2762, cookie mismatch 0000000000000004 != 0000000000000000 [ 457.515989][T23923] binder: 23921:23923 got transaction with invalid offset (0, min 0 max 0) or object. [ 457.533313][T23924] binder: 23919:23924 ioctl c0306201 200002c0 returned -14 [ 457.600440][T23931] binder_alloc: binder_alloc_mmap_handler: 23919 20001000-20004000 already mapped failed -16 03:51:26 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 457.641513][T23929] binder_alloc_new_buf_locked: 19 callbacks suppressed [ 457.641523][T23929] binder_alloc: 23919: binder_alloc_buf, no vma [ 457.702852][T23924] binder: BINDER_SET_CONTEXT_MGR already set [ 457.729749][T23924] binder: 23919:23924 ioctl 40046207 0 returned -16 03:51:26 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000156, 0x0) [ 457.754062][ T22] binder: release 23919:23924 transaction 2761 out, still active [ 457.767882][ T22] binder: unexpected work type, 4, not freed 03:51:26 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x100000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 457.807875][T23943] binder_alloc: 23919: binder_alloc_buf, no vma [ 457.827185][ T22] binder: undelivered TRANSACTION_COMPLETE [ 457.854880][T23931] binder_alloc: 23919: binder_alloc_buf, no vma [ 457.855030][ T22] binder: send failed reply for transaction 2761, target dead 03:51:26 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x0) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:26 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000131, 0x0) 03:51:26 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:26 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4800, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:26 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x200000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:26 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x0) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:26 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000157, 0x0) [ 458.144368][T23967] binder: 23965:23967 sending u0000000000000000 node 2774, cookie mismatch 0000000000000004 != 0000000000000000 03:51:27 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 458.229057][T23967] binder: 23965:23967 ioctl c0306201 200002c0 returned -14 03:51:27 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x300000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 458.283720][T23974] binder_alloc: binder_alloc_mmap_handler: 23965 20001000-20004000 already mapped failed -16 [ 458.363747][T23967] binder: BINDER_SET_CONTEXT_MGR already set [ 458.400670][T23981] binder_alloc: 23965: binder_alloc_buf, no vma [ 458.408764][T23967] binder: 23965:23967 ioctl 40046207 0 returned -16 03:51:27 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(0xffffffffffffffff, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:27 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000132, 0x0) [ 458.435600][ T22] binder: send failed reply for transaction 2773 to 23965:23967 [ 458.450951][T23974] binder_alloc: 23965: binder_alloc_buf, no vma [ 458.466937][ T22] binder: undelivered TRANSACTION_COMPLETE [ 458.472954][T23988] binder_alloc: 23965: binder_alloc_buf, no vma 03:51:27 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000158, 0x0) 03:51:27 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 458.509538][T23986] binder_alloc: 23965: binder_alloc_buf, no vma 03:51:27 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x400000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 458.574566][T23986] binder: 23965:23986 ioctl c0306201 200002c0 returned -14 03:51:27 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(0xffffffffffffffff, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:27 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4c00, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:27 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000159, 0x0) 03:51:27 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x500000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:27 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x6, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:27 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(0xffffffffffffffff, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 458.957098][T24018] binder: 24009:24018 sending u0000000000000000 node 2785, cookie mismatch 0000000000000004 != 0000000000000000 [ 458.989500][T24021] binder: 24015:24021 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:27 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000133, 0x0) [ 459.013699][T24016] binder: 24014:24016 got transaction with invalid offset (0, min 0 max 0) or object. [ 459.023790][T24018] binder: 24009:24018 ioctl c0306201 200002c0 returned -14 [ 459.053410][T24026] binder_alloc: binder_alloc_mmap_handler: 24009 20001000-20004000 already mapped failed -16 03:51:27 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, 0x0, 0x0) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 459.117906][T24018] binder: BINDER_SET_CONTEXT_MGR already set 03:51:28 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:28 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x600000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 459.169878][T24018] binder: 24009:24018 ioctl 40046207 0 returned -16 03:51:28 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000015a, 0x0) [ 459.240307][T24026] binder_alloc: 24009: binder_alloc_buf, no vma [ 459.298309][ T22] binder: release 24009:24018 transaction 2784 out, still active [ 459.307131][T24032] binder_alloc: 24009: binder_alloc_buf, no vma [ 459.322518][ T22] binder: unexpected work type, 4, not freed 03:51:28 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, 0x0, 0x0) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 459.351426][ T22] binder: undelivered TRANSACTION_COMPLETE [ 459.359637][T24040] binder_alloc: 24009: binder_alloc_buf, no vma [ 459.371941][T24032] binder: 24009:24032 ioctl c0306201 200002c0 returned -14 03:51:28 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x700000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 459.410944][ T22] binder: send failed reply for transaction 2784, target dead 03:51:28 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6800, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:28 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:28 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000134, 0x0) 03:51:28 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, 0x0, 0x0) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 459.663189][T24056] binder: 24053:24056 sending u0000000000000000 node 2798, cookie mismatch 0000000000000004 != 0000000000000000 03:51:28 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x800000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:28 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 459.742825][T24056] binder: 24053:24056 ioctl c0306201 200002c0 returned -14 [ 459.791216][T24069] binder_alloc: binder_alloc_mmap_handler: 24053 20001000-20004000 already mapped failed -16 03:51:28 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000015b, 0x0) 03:51:28 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 459.838570][T24056] binder: BINDER_SET_CONTEXT_MGR already set [ 459.871203][T24056] binder: 24053:24056 ioctl 40046207 0 returned -16 03:51:28 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0xa00000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 459.915811][T24074] binder: 24053:24074 ioctl c0306201 200002c0 returned -14 03:51:28 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x48, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 459.962051][ T12] binder: send failed reply for transaction 2797 to 24053:24056 [ 459.987270][ T12] binder: undelivered TRANSACTION_COMPLETE 03:51:28 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x4800000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:28 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6c00, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:29 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x4c00000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:29 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 460.236835][T24092] binder: 24089:24092 sending u0000000000000000 node 2810, cookie mismatch 0000000000000004 != 0000000000000000 03:51:29 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000135, 0x0) 03:51:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x4c, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 460.314666][T24092] binder_transaction: 51 callbacks suppressed [ 460.314684][T24092] binder: 24089:24092 transaction failed 29201/-22, size 24-8 line 3257 [ 460.371091][T24099] binder: 24096:24099 got transaction with invalid offset (0, min 0 max 0) or object. [ 460.391906][T24092] binder: 24089:24092 ioctl c0306201 200002c0 returned -14 [ 460.410270][T24099] binder: 24096:24099 transaction failed 29201/-22, size 0-8 line 3241 03:51:29 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000015c, 0x0) [ 460.420080][T24101] binder: 24100:24101 got transaction with invalid offset (0, min 0 max 0) or object. [ 460.441852][T24106] binder_alloc: binder_alloc_mmap_handler: 24089 20001000-20004000 already mapped failed -16 03:51:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x60, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 460.487891][T24101] binder: 24100:24101 transaction failed 29201/-22, size 0-8 line 3241 [ 460.527459][T24092] binder: BINDER_SET_CONTEXT_MGR already set 03:51:29 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000015d, 0x0) [ 460.572517][T24106] binder: 24089:24106 transaction failed 29189/-3, size 24-8 line 3147 [ 460.572529][T24092] binder: 24089:24092 ioctl 40046207 0 returned -16 03:51:29 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x6800000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 460.618822][ T12] binder: send failed reply for transaction 2809 to 24089:24092 [ 460.638333][ T12] binder: undelivered TRANSACTION_COMPLETE [ 460.645526][T24115] binder: 24113:24115 transaction failed 29189/-22, size 0-8 line 2994 03:51:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x68, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 460.752894][T24119] binder: 24118:24119 transaction failed 29189/-22, size 0-8 line 2994 03:51:29 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7400, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:29 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000015e, 0x0) 03:51:29 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x6c00000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 460.916585][T24129] binder: 24124:24129 sending u0000000000000000 node 2820, cookie mismatch 0000000000000004 != 0000000000000000 [ 460.952824][T24128] binder: 24126:24128 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:29 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(0xffffffffffffffff, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:29 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000136, 0x0) [ 460.972646][T24128] binder: 24126:24128 transaction failed 29201/-22, size 0-8 line 3241 [ 461.008845][T24129] binder: 24124:24129 transaction failed 29201/-22, size 24-8 line 3257 [ 461.074278][T24138] binder: 24134:24138 got transaction with invalid offset (0, min 0 max 0) or object. [ 461.078542][T24129] binder: 24124:24129 ioctl c0306201 200002c0 returned -14 [ 461.107534][T24138] binder: 24134:24138 transaction failed 29201/-22, size 0-8 line 3241 [ 461.115952][ T12] binder_release_work: 56 callbacks suppressed 03:51:29 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x6c, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 461.115960][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 461.116299][T24141] binder_alloc: binder_alloc_mmap_handler: 24124 20001000-20004000 already mapped failed -16 [ 461.156973][T24129] binder: BINDER_SET_CONTEXT_MGR already set 03:51:30 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x7400000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 461.226245][T24129] binder: 24124:24129 ioctl 40046207 0 returned -16 [ 461.254375][T24141] binder: 24124:24141 transaction failed 29189/-3, size 24-8 line 3147 [ 461.298968][ T22] binder: send failed reply for transaction 2819 to 24124:24129 [ 461.306992][T24143] binder: 24124:24143 ioctl c0306201 200002c0 returned -14 [ 461.329327][ T22] binder: undelivered TRANSACTION_ERROR: 29201 03:51:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x74, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 461.358348][ T22] binder: undelivered TRANSACTION_ERROR: 29189 03:51:30 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x7a00000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:30 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7a00, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 461.407186][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 461.456721][ T22] binder: undelivered TRANSACTION_ERROR: 29189 03:51:30 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, 0x0, 0x0) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 461.518464][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 461.543751][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:30 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000137, 0x0) 03:51:30 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000015f, 0x0) [ 461.562918][ T22] binder: undelivered TRANSACTION_ERROR: 29201 03:51:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x7a, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 461.593845][T24160] binder: 24158:24160 sending u0000000000000000 node 2832, cookie mismatch 0000000000000004 != 0000000000000000 [ 461.599379][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 461.618917][T24162] binder: 24156:24162 got transaction with invalid offset (0, min 0 max 0) or object. [ 461.686167][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 461.697864][T24160] binder: 24158:24160 ioctl c0306201 200002c0 returned -14 03:51:30 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, 0x0, 0x0) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 461.731251][T24171] binder: 24170:24171 got transaction with invalid offset (0, min 0 max 0) or object. [ 461.741980][T24173] binder_alloc: binder_alloc_mmap_handler: 24158 20001000-20004000 already mapped failed -16 03:51:30 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x2, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 461.779748][ T22] binder: undelivered TRANSACTION_ERROR: 29201 [ 461.787052][T24160] binder: BINDER_SET_CONTEXT_MGR already set 03:51:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x300, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 461.878868][T24160] binder: 24158:24160 ioctl 40046207 0 returned -16 [ 461.879083][T24179] binder: 24158:24179 ioctl c0306201 200002c0 returned -14 03:51:30 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x3, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 461.965605][ T17] binder: release 24158:24160 transaction 2831 out, still active [ 461.986497][ T17] binder: unexpected work type, 4, not freed 03:51:30 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000160, 0x0) [ 462.013829][ T17] binder: undelivered TRANSACTION_COMPLETE 03:51:30 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000138, 0x0) 03:51:30 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x500, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 462.044467][ T17] binder: send failed reply for transaction 2831, target dead 03:51:30 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x1000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:30 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, 0x0, 0x0) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:31 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x4, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x600, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 462.249980][T24201] binder: 24200:24201 sending u0000000000000000 node 2845, cookie mismatch 0000000000000004 != 0000000000000000 03:51:31 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000161, 0x0) [ 462.317516][T24208] binder: 24206:24208 got transaction with invalid offset (0, min 0 max 0) or object. [ 462.330081][T24201] binder: 24200:24201 ioctl c0306201 200002c0 returned -14 03:51:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x700, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 462.393925][T24213] binder_alloc: binder_alloc_mmap_handler: 24200 20001000-20004000 already mapped failed -16 03:51:31 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x5, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:31 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 462.468315][T24201] binder: BINDER_SET_CONTEXT_MGR already set [ 462.507598][T24201] binder: 24200:24201 ioctl 40046207 0 returned -16 [ 462.562749][T24222] binder: 24200:24222 ioctl c0306201 200002c0 returned -14 03:51:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0xa00, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:31 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000139, 0x0) [ 462.609041][ T17] binder: release 24200:24201 transaction 2844 out, still active [ 462.626989][ T17] binder: unexpected work type, 4, not freed 03:51:31 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x6, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 462.662571][ T17] binder: undelivered TRANSACTION_COMPLETE 03:51:31 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x2000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 462.706036][ T17] binder: send failed reply for transaction 2844, target dead 03:51:31 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 462.857711][T24239] binder: 24234:24239 sending u0000000000000000 node 2858, cookie mismatch 0000000000000004 != 0000000000000000 03:51:31 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000162, 0x0) 03:51:31 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x2000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:31 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x7, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 462.942910][T24239] binder: 24234:24239 ioctl c0306201 200002c0 returned -14 [ 463.027130][T24248] binder_alloc: binder_alloc_mmap_handler: 24234 20001000-20004000 already mapped failed -16 [ 463.048553][T24249] binder_alloc_new_buf_locked: 17 callbacks suppressed [ 463.048563][T24249] binder_alloc: 24234: binder_alloc_buf, no vma 03:51:31 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 463.071991][T24239] binder: BINDER_SET_CONTEXT_MGR already set [ 463.083680][T24239] binder: 24234:24239 ioctl 40046207 0 returned -16 [ 463.101968][T24251] binder_alloc: 24234: binder_alloc_buf, no vma [ 463.112138][T24239] binder_alloc: 24234: binder_alloc_buf, no vma [ 463.121221][T24248] binder_alloc: 24234: binder_alloc_buf, no vma 03:51:31 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:31 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000013a, 0x0) [ 463.137880][T24248] binder: 24234:24248 ioctl c0306201 200002c0 returned -14 [ 463.153136][ T12] binder: release 24234:24239 transaction 2857 out, still active [ 463.166805][ T12] binder: unexpected work type, 4, not freed 03:51:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x4800, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:32 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x3000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 463.208910][ T12] binder: undelivered TRANSACTION_COMPLETE [ 463.237698][ T12] binder: send failed reply for transaction 2857, target dead 03:51:32 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000163, 0x0) 03:51:32 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0xa, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 463.359495][T24269] binder: 24266:24269 sending u0000000000000000 node 2868, cookie mismatch 0000000000000004 != 0000000000000000 [ 463.379325][T24271] binder_transaction: 1 callbacks suppressed [ 463.379340][T24271] binder: 24270:24271 got transaction with invalid offset (0, min 0 max 0) or object. [ 463.448417][T24269] binder: 24266:24269 ioctl c0306201 200002c0 returned -14 [ 463.504214][T24279] binder_alloc: binder_alloc_mmap_handler: 24266 20001000-20004000 already mapped failed -16 [ 463.521410][T24278] binder_alloc: 24266: binder_alloc_buf, no vma 03:51:32 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000164, 0x0) 03:51:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x4c00, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 463.548969][T24269] binder: BINDER_SET_CONTEXT_MGR already set [ 463.575691][T24269] binder: 24266:24269 ioctl 40046207 0 returned -16 03:51:32 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x48, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:32 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000013b, 0x0) [ 463.684189][T24269] binder_alloc: 24266: binder_alloc_buf, no vma [ 463.732745][ T17] binder: send failed reply for transaction 2867 to 24266:24269 [ 463.751053][ T17] binder: undelivered TRANSACTION_COMPLETE [ 463.767306][T24279] binder_alloc: 24266: binder_alloc_buf, no vma 03:51:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x6000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:32 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 463.810453][T24279] binder: 24266:24279 ioctl c0306201 200002c0 returned -14 03:51:32 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x4c, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:32 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:32 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x6800, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:32 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:32 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x68, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 464.055891][T24307] binder: 24306:24307 sending u0000000000000000 node 2881, cookie mismatch 0000000000000004 != 0000000000000000 [ 464.087099][T24310] binder: 24308:24310 got transaction with invalid offset (0, min 0 max 0) or object. [ 464.152026][T24307] binder: 24306:24307 ioctl c0306201 200002c0 returned -14 [ 464.176897][T24316] binder_alloc: binder_alloc_mmap_handler: 24306 20001000-20004000 already mapped failed -16 [ 464.179416][T24317] binder_alloc: 24306: binder_alloc_buf, no vma 03:51:33 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000165, 0x0) 03:51:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x6c00, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 464.219810][T24307] binder: BINDER_SET_CONTEXT_MGR already set [ 464.253773][T24307] binder: 24306:24307 ioctl 40046207 0 returned -16 03:51:33 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000013c, 0x0) [ 464.277616][T24307] binder_alloc: 24306: binder_alloc_buf, no vma [ 464.295323][T24316] binder_alloc: 24306: binder_alloc_buf, no vma [ 464.320658][T24316] binder: 24306:24316 ioctl c0306201 200002c0 returned -14 03:51:33 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x6c, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 464.365007][ T17] binder: release 24306:24307 transaction 2880 out, still active [ 464.388885][ T17] binder: unexpected work type, 4, not freed 03:51:33 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x5000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x7400, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 464.428083][ T17] binder: undelivered TRANSACTION_COMPLETE [ 464.464851][ T17] binder: send failed reply for transaction 2880, target dead 03:51:33 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x74, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 464.576934][T24336] binder: 24335:24336 sending u0000000000000000 node 2892, cookie mismatch 0000000000000004 != 0000000000000000 [ 464.610351][T24338] binder: 24337:24338 got transaction with invalid offset (0, min 0 max 0) or object. [ 464.653488][T24336] binder: 24335:24336 ioctl c0306201 200002c0 returned -14 [ 464.675139][T24342] binder: 24341:24342 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:33 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:33 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000166, 0x0) 03:51:33 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x7a, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 464.713957][T24344] binder_alloc: binder_alloc_mmap_handler: 24335 20001000-20004000 already mapped failed -16 [ 464.748605][T24336] binder: BINDER_SET_CONTEXT_MGR already set 03:51:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x7a00, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:33 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000013d, 0x0) [ 464.785742][T24336] binder: 24335:24336 ioctl 40046207 0 returned -16 [ 464.820848][T24349] binder: 24335:24349 ioctl c0306201 200002c0 returned -14 03:51:33 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x300, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 464.898711][ T12] binder: release 24335:24336 transaction 2891 out, still active [ 464.921876][ T12] binder: unexpected work type, 4, not freed 03:51:33 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:33 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000167, 0x0) 03:51:33 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x500, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 464.971966][ T12] binder: undelivered TRANSACTION_COMPLETE [ 465.010037][ T12] binder: send failed reply for transaction 2891, target dead 03:51:33 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 465.157652][T24373] binder: 24370:24373 sending u0000000000000000 node 2904, cookie mismatch 0000000000000004 != 0000000000000000 [ 465.178906][T24375] binder: 24374:24375 got transaction with invalid offset (0, min 0 max 0) or object. [ 465.195150][T24376] binder: 24368:24376 got transaction with invalid offset (0, min 0 max 0) or object. [ 465.224709][T24373] binder: 24370:24373 ioctl c0306201 200002c0 returned -14 03:51:34 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x600, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 465.285063][T24380] binder_alloc: binder_alloc_mmap_handler: 24370 20001000-20004000 already mapped failed -16 03:51:34 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:34 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000168, 0x0) 03:51:34 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000013e, 0x0) [ 465.332386][T24373] binder: BINDER_SET_CONTEXT_MGR already set [ 465.352118][T24380] binder_transaction: 55 callbacks suppressed [ 465.352135][T24380] binder: 24370:24380 transaction failed 29189/-3, size 24-8 line 3147 [ 465.403820][T24389] binder: 24386:24389 transaction failed 29189/-3, size 0-8 line 3147 03:51:34 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 465.465492][T24396] binder: 24395:24396 transaction failed 29189/-3, size 0-8 line 3147 [ 465.477707][ T12] binder: release 24370:24373 transaction 2903 out, still active [ 465.486007][T24384] binder: 24370:24384 transaction failed 29189/-3, size 24-8 line 3147 [ 465.500497][ T12] binder: unexpected work type, 4, not freed 03:51:34 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x700, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:34 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000169, 0x0) [ 465.530147][ T12] binder: undelivered TRANSACTION_COMPLETE [ 465.542884][T24373] binder: 24370:24373 ioctl 40046207 0 returned -16 [ 465.562417][ T12] binder: send failed reply for transaction 2903, target dead [ 465.572725][T24384] binder: 24370:24384 ioctl c0306201 200002c0 returned -14 [ 465.642252][T24405] binder: 24400:24405 transaction failed 29189/-22, size 0-8 line 2994 03:51:34 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x3000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 465.756762][T24410] binder: 24408:24410 transaction failed 29189/-22, size 0-8 line 2994 03:51:34 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0xa00, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 465.799236][T24412] binder: 24411:24412 sending u0000000000000000 node 2917, cookie mismatch 0000000000000004 != 0000000000000000 03:51:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x4000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 465.850973][T24412] binder: 24411:24412 transaction failed 29201/-22, size 24-8 line 3257 [ 465.868603][T24412] binder: 24411:24412 ioctl c0306201 200002c0 returned -14 [ 465.890269][T24418] binder: 24417:24418 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:34 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000016a, 0x0) 03:51:34 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000013f, 0x0) [ 465.911977][T24418] binder: 24417:24418 transaction failed 29201/-22, size 0-8 line 3241 [ 465.961813][T24420] binder_alloc: binder_alloc_mmap_handler: 24411 20001000-20004000 already mapped failed -16 [ 465.982159][T24412] binder: BINDER_SET_CONTEXT_MGR already set [ 466.005828][T24423] binder: 24422:24423 transaction failed 29189/-3, size 0-8 line 3147 [ 466.015551][T24412] binder: 24411:24412 ioctl 40046207 0 returned -16 03:51:34 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x4800, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:34 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x5000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 466.117832][T24412] binder: 24411:24412 transaction failed 29189/-3, size 24-8 line 3147 [ 466.158173][T24420] binder: 24411:24420 ioctl c0306201 200002c0 returned -14 [ 466.163892][ T12] binder: send failed reply for transaction 2916 to 24411:24412 [ 466.185683][ T12] binder: undelivered TRANSACTION_COMPLETE 03:51:35 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 466.214995][ T12] binder_release_work: 59 callbacks suppressed [ 466.215002][ T12] binder: undelivered TRANSACTION_ERROR: 29201 03:51:35 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x4c00, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x6000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:35 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000016b, 0x0) 03:51:35 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x8000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 466.263534][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 466.291849][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 466.359809][ T12] binder: undelivered TRANSACTION_ERROR: 29189 03:51:35 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000140, 0x0) [ 466.413283][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 466.432701][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 466.447224][T24455] binder: 24453:24455 sending u0000000000000000 node 2930, cookie mismatch 0000000000000004 != 0000000000000000 03:51:35 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x6800, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x7000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 466.476736][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 466.499265][ T17] binder: undelivered TRANSACTION_ERROR: 29189 03:51:35 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x0, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 466.529190][T24455] binder: 24453:24455 ioctl c0306201 200002c0 returned -14 [ 466.565841][T24465] binder_alloc: binder_alloc_mmap_handler: 24453 20001000-20004000 already mapped failed -16 03:51:35 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000016c, 0x0) 03:51:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x8000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 466.639209][T24455] binder: BINDER_SET_CONTEXT_MGR already set 03:51:35 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x6c00, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 466.684109][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 466.696790][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 466.703532][T24455] binder: 24453:24455 ioctl 40046207 0 returned -16 [ 466.748204][T24477] binder: 24453:24477 ioctl c0306201 200002c0 returned -14 [ 466.791033][ T17] binder: release 24453:24455 transaction 2929 out, still active [ 466.809952][ T17] binder: unexpected work type, 4, not freed 03:51:35 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0xa000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:35 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xa000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:35 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x0, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:35 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x7400, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 466.840645][ T17] binder: undelivered TRANSACTION_COMPLETE [ 466.880065][ T17] binder: send failed reply for transaction 2929, target dead 03:51:35 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000141, 0x0) [ 467.013378][T24489] binder: 24486:24489 sending u0000000000000000 node 2941, cookie mismatch 0000000000000004 != 0000000000000000 [ 467.046722][T24493] binder: 24492:24493 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:35 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000016d, 0x0) [ 467.062164][T24489] binder: 24486:24489 ioctl c0306201 200002c0 returned -14 [ 467.065470][T24494] binder: 24491:24494 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:35 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x0, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 467.123355][T24502] binder_alloc: binder_alloc_mmap_handler: 24486 20001000-20004000 already mapped failed -16 03:51:35 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x7a00, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 467.201442][T24489] binder: BINDER_SET_CONTEXT_MGR already set [ 467.241461][T24489] binder: 24486:24489 ioctl 40046207 0 returned -16 03:51:36 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000016e, 0x0) 03:51:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x20000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 467.288736][T24511] binder: 24486:24511 ioctl c0306201 200002c0 returned -14 03:51:36 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 467.349508][ T17] binder: release 24486:24489 transaction 2940 out, still active [ 467.383270][ T17] binder: unexpected work type, 4, not freed 03:51:36 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x10000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:36 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000142, 0x0) [ 467.419617][ T17] binder: undelivered TRANSACTION_COMPLETE [ 467.445782][ T17] binder: send failed reply for transaction 2940, target dead 03:51:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x48000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:36 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x0, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:36 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x2000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 467.581894][T24531] binder: 24524:24531 sending u0000000000000000 node 2953, cookie mismatch 0000000000000004 != 0000000000000000 [ 467.588672][T24528] binder: 24527:24528 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:36 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x0, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 467.675697][T24531] binder: 24524:24531 ioctl c0306201 200002c0 returned -14 [ 467.710694][T24537] binder_alloc: binder_alloc_mmap_handler: 24524 20001000-20004000 already mapped failed -16 03:51:36 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x3000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x4c000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 467.760335][T24531] binder: BINDER_SET_CONTEXT_MGR already set [ 467.787629][T24531] binder: 24524:24531 ioctl 40046207 0 returned -16 03:51:36 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000016f, 0x0) [ 467.872184][T24550] binder: 24524:24550 ioctl c0306201 200002c0 returned -14 03:51:36 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x0, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:36 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x4000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 467.916164][ T17] binder: send failed reply for transaction 2952 to 24524:24531 [ 467.933331][ T17] binder: undelivered TRANSACTION_COMPLETE 03:51:36 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x60000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:37 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x20000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:37 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000143, 0x0) 03:51:37 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:37 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x5000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x68000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:37 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x6000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 468.270452][T24580] binder: 24578:24580 sending u0000000000000000 node 2968, cookie mismatch 0000000000000004 != 0000000000000000 03:51:37 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000170, 0x0) 03:51:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x6c000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 468.402887][T24580] binder: 24578:24580 ioctl c0306201 200002c0 returned -14 [ 468.418734][T24584] binder_transaction: 2 callbacks suppressed [ 468.418749][T24584] binder: 24582:24584 got transaction with invalid offset (0, min 0 max 0) or object. [ 468.464708][T24590] binder_alloc: binder_alloc_mmap_handler: 24578 20001000-20004000 already mapped failed -16 [ 468.483154][T24586] binder_alloc_new_buf_locked: 26 callbacks suppressed [ 468.483164][T24586] binder_alloc: 24578: binder_alloc_buf, no vma 03:51:37 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x74000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 468.580662][T24590] binder_alloc: 24578: binder_alloc_buf, no vma [ 468.583036][T24591] binder: BINDER_SET_CONTEXT_MGR already set 03:51:37 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x7000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 468.639132][T24590] binder: 24578:24590 ioctl c0306201 200002c0 returned -14 [ 468.671961][T24591] binder: 24578:24591 ioctl 40046207 0 returned -16 [ 468.672113][ T17] binder: release 24578:24580 transaction 2967 out, still active 03:51:37 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000144, 0x0) [ 468.716362][T24599] binder_alloc: 24578: binder_alloc_buf, no vma [ 468.726075][ T17] binder: unexpected work type, 4, not freed [ 468.740265][ T17] binder: undelivered TRANSACTION_COMPLETE [ 468.771647][ T17] binder: send failed reply for transaction 2967, target dead 03:51:37 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x48000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:37 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x8000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x7a000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:37 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000171, 0x0) [ 468.938677][T24610] binder: 24606:24610 sending u0000000000000000 node 2978, cookie mismatch 0000000000000004 != 0000000000000000 [ 468.957963][T24613] binder: 24612:24613 got transaction with invalid offset (0, min 0 max 0) or object. [ 469.015853][T24616] binder: 24615:24616 got transaction with invalid offset (0, min 0 max 0) or object. [ 469.022992][T24610] binder: 24606:24610 ioctl c0306201 200002c0 returned -14 [ 469.068214][T24619] binder_alloc: binder_alloc_mmap_handler: 24606 20001000-20004000 already mapped failed -16 [ 469.105973][T24610] binder: BINDER_SET_CONTEXT_MGR already set 03:51:37 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0xfdfdffff, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:37 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0xa000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 469.126825][T24610] binder: 24606:24610 ioctl 40046207 0 returned -16 [ 469.158131][T24619] binder_alloc: 24606: binder_alloc_buf, no vma 03:51:38 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000172, 0x0) [ 469.228441][ T17] binder: send failed reply for transaction 2977 to 24606:24610 03:51:38 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4c000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 469.289352][ T17] binder: undelivered TRANSACTION_COMPLETE [ 469.443390][T24636] binder: 24635:24636 sending u0000000000000000 node 2988, cookie mismatch 0000000000000004 != 0000000000000000 03:51:38 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:38 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000145, 0x0) 03:51:38 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0xfffffdfd, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:38 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x48000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:38 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000173, 0x0) [ 469.509649][T24636] binder: 24635:24636 ioctl c0306201 200002c0 returned -14 [ 469.546710][T24640] binder_alloc: binder_alloc_mmap_handler: 24635 20001000-20004000 already mapped failed -16 [ 469.602992][T24636] binder: BINDER_SET_CONTEXT_MGR already set [ 469.616265][T24636] binder: 24635:24636 ioctl 40046207 0 returned -16 [ 469.617052][T24649] binder_alloc: 24635: binder_alloc_buf, no vma [ 469.655357][T24650] binder_alloc: 24635: binder_alloc_buf, no vma [ 469.671841][T24640] binder_alloc: 24635: binder_alloc_buf, no vma [ 469.678644][ T17] binder: release 24635:24636 transaction 2987 out, still active [ 469.698573][T24651] binder_alloc: 24635: binder_alloc_buf, no vma 03:51:38 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x100000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 469.712172][ T17] binder: unexpected work type, 4, not freed [ 469.718198][ T17] binder: undelivered TRANSACTION_COMPLETE [ 469.745571][T24651] binder: 24635:24651 ioctl c0306201 200002c0 returned -14 03:51:38 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x4c000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:38 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000174, 0x0) [ 469.766608][ T17] binder: send failed reply for transaction 2987, target dead 03:51:38 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x68000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:38 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x200000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:38 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x68000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 469.996890][T24666] binder: 24664:24666 sending u0000000000000000 node 2999, cookie mismatch 0000000000000004 != 0000000000000000 03:51:38 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000146, 0x0) 03:51:38 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(0xffffffffffffffff, &(0x7f0000000480), 0x2e9, 0xffd8) [ 470.075209][T24670] binder: 24668:24670 got transaction with invalid offset (0, min 0 max 0) or object. [ 470.077110][T24672] binder: 24671:24672 got transaction with invalid offset (0, min 0 max 0) or object. [ 470.095535][T24666] binder: 24664:24666 ioctl c0306201 200002c0 returned -14 [ 470.140875][T24678] binder_alloc: binder_alloc_mmap_handler: 24664 20001000-20004000 already mapped failed -16 03:51:39 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(0xffffffffffffffff, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:39 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x300000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 470.186086][T24666] binder: BINDER_SET_CONTEXT_MGR already set 03:51:39 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x6c000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 470.226688][T24678] binder_alloc: 24664: binder_alloc_buf, no vma [ 470.300663][T24666] binder: 24664:24666 ioctl 40046207 0 returned -16 [ 470.333383][ T12] binder: send failed reply for transaction 2998 to 24664:24666 [ 470.341767][T24686] binder_alloc: 24664: binder_alloc_buf, no vma 03:51:39 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000175, 0x0) [ 470.351020][ T12] binder: undelivered TRANSACTION_COMPLETE [ 470.360417][T24680] binder: 24664:24680 ioctl c0306201 200002c0 returned -14 03:51:39 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(0xffffffffffffffff, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:39 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x74000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:39 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6c000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:39 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x400000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:39 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000147, 0x0) [ 470.544023][T24702] binder_transaction: 57 callbacks suppressed [ 470.544042][T24702] binder: 24701:24702 transaction failed 29189/-22, size 0-8 line 2994 [ 470.578760][T24705] binder: 24703:24705 transaction failed 29189/-22, size 0-8 line 2994 [ 470.610873][T24708] binder: 24706:24708 sending u0000000000000000 node 3012, cookie mismatch 0000000000000004 != 0000000000000000 03:51:39 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x500000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:39 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, 0x0, 0x0, 0xffd8) [ 470.693281][T24708] binder: 24706:24708 transaction failed 29201/-22, size 24-8 line 3257 03:51:39 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x7a000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 470.768440][T24708] binder: 24706:24708 ioctl c0306201 200002c0 returned -14 [ 470.796094][T24715] binder: 24713:24715 got transaction with invalid offset (0, min 0 max 0) or object. [ 470.826891][T24718] binder_alloc: binder_alloc_mmap_handler: 24706 20001000-20004000 already mapped failed -16 [ 470.853900][T24715] binder: 24713:24715 transaction failed 29201/-22, size 0-8 line 3241 [ 470.869206][T24720] binder: 24717:24720 transaction failed 29189/-3, size 0-8 line 3147 03:51:39 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, 0x0, 0x0, 0xffd8) [ 470.888474][T24708] binder: BINDER_SET_CONTEXT_MGR already set 03:51:39 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000176, 0x0) 03:51:39 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x100000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 470.941867][T24708] binder: 24706:24708 ioctl 40046207 0 returned -16 [ 470.976957][T24718] binder: 24706:24718 transaction failed 29189/-3, size 24-8 line 3147 03:51:39 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x600000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:39 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000148, 0x0) [ 471.002992][ T12] binder: send failed reply for transaction 3011 to 24706:24708 [ 471.010743][ T12] binder: undelivered TRANSACTION_COMPLETE [ 471.017297][T24723] binder: 24706:24723 transaction failed 29189/-3, size 24-8 line 3147 [ 471.053536][T24723] binder: 24706:24723 ioctl c0306201 200002c0 returned -14 03:51:39 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, 0x0, 0x0, 0xffd8) [ 471.093902][T24735] binder: 24734:24735 transaction failed 29189/-22, size 0-8 line 2994 03:51:39 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x74000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:40 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000177, 0x0) [ 471.191957][T24742] binder: 24738:24742 transaction failed 29189/-22, size 0-8 line 2994 03:51:40 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x200000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 471.280210][T24748] binder: 24744:24748 sending u0000000000000000 node 3023, cookie mismatch 0000000000000004 != 0000000000000000 [ 471.319275][ T17] binder_release_work: 61 callbacks suppressed 03:51:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x700000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:40 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0x0) [ 471.319284][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 471.381516][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 471.394640][T24753] binder: 24752:24753 got transaction with invalid offset (0, min 0 max 0) or object. [ 471.396525][T24748] binder: 24744:24748 transaction failed 29201/-22, size 24-8 line 3257 [ 471.451556][T24759] binder: 24757:24759 got transaction with invalid offset (0, min 0 max 0) or object. [ 471.470973][T24748] binder: 24744:24748 ioctl c0306201 200002c0 returned -14 03:51:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x800000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 471.515346][T24761] binder_alloc: binder_alloc_mmap_handler: 24744 20001000-20004000 already mapped failed -16 [ 471.521330][ T17] binder: undelivered TRANSACTION_ERROR: 29201 03:51:40 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x300000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:40 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000149, 0x0) [ 471.556885][ T17] binder: undelivered TRANSACTION_ERROR: 29201 [ 471.563391][T24748] binder: BINDER_SET_CONTEXT_MGR already set [ 471.633197][T24748] binder: 24744:24748 ioctl 40046207 0 returned -16 [ 471.644422][T24768] binder: 24744:24768 ioctl c0306201 200002c0 returned -14 03:51:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0xa00000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 471.710556][ T17] binder: release 24744:24748 transaction 3022 out, still active [ 471.729140][ T17] binder: unexpected work type, 4, not freed 03:51:40 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x400000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 471.762653][ T17] binder: undelivered TRANSACTION_COMPLETE 03:51:40 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000178, 0x0) [ 471.808093][ T17] binder: undelivered TRANSACTION_ERROR: 29201 03:51:40 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7a000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 471.861873][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 471.919087][ T17] binder: undelivered TRANSACTION_ERROR: 29189 03:51:40 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x2000000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:40 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x500000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 471.965149][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 471.999897][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 472.048209][ T17] binder: undelivered TRANSACTION_ERROR: 29189 [ 472.087732][ T17] binder: send failed reply for transaction 3022, target dead [ 472.101124][T24785] binder: 24784:24785 sending u0000000000000000 node 3036, cookie mismatch 0000000000000004 != 0000000000000000 [ 472.120794][T24792] binder: 24789:24792 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:40 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000014a, 0x0) [ 472.143166][T24790] binder: 24788:24790 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:40 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x600000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 472.190510][T24785] binder: 24784:24785 ioctl c0306201 200002c0 returned -14 [ 472.250037][T24797] binder_alloc: binder_alloc_mmap_handler: 24784 20001000-20004000 already mapped failed -16 [ 472.336208][T24785] binder: BINDER_SET_CONTEXT_MGR already set [ 472.351885][T24785] binder: 24784:24785 ioctl 40046207 0 returned -16 [ 472.376916][T24803] binder: 24784:24803 ioctl c0306201 200002c0 returned -14 [ 472.394470][ T17] binder: release 24784:24785 transaction 3035 out, still active [ 472.427133][ T17] binder: unexpected work type, 4, not freed [ 472.466851][ T17] binder: undelivered TRANSACTION_COMPLETE [ 472.498993][ T17] binder: send failed reply for transaction 3035, target dead 03:51:41 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x700000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x4800000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:41 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000179, 0x0) 03:51:41 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x100000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:41 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000014b, 0x0) 03:51:41 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000200)=[@flat={0x73622a85}], 0x0}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 472.664297][T24814] binder: 24812:24814 sending u0000000000000000 node 3048, cookie mismatch 0000000000000004 != 0000000000000000 03:51:41 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x800000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x4c00000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 472.719014][T24814] binder: 24812:24814 ioctl c0306201 200002c0 returned -14 [ 472.730381][T24821] binder: 24820:24821 got new transaction with bad transaction stack, transaction 3051 has target 24812:0 [ 472.741585][T24823] binder_alloc: binder_alloc_mmap_handler: 24812 20001000-20004000 already mapped failed -16 [ 472.752951][T24821] binder: 24820:24821 ioctl c0306201 200002c0 returned -14 03:51:41 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000017a, 0x0) [ 472.848370][T24814] binder: BINDER_SET_CONTEXT_MGR already set [ 472.869199][T24814] binder: 24812:24814 ioctl 40046207 0 returned -16 [ 472.882212][ T17] binder: release 24820:24821 transaction 3051 out, still active 03:51:41 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:41 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0xa00000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 472.893398][ T17] binder: undelivered TRANSACTION_COMPLETE [ 472.903866][T24823] binder: 24812:24823 ioctl c0306201 200002c0 returned -14 [ 472.938090][ T17] binder: release 24812:24814 transaction 3047 out, still active 03:51:41 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x6000000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:41 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x200000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 472.974039][ T17] binder: unexpected work type, 4, not freed [ 473.000891][T24838] binder: 24833:24838 ioctl c0306201 200002c0 returned -14 [ 473.015211][ T17] binder: undelivered TRANSACTION_COMPLETE [ 473.041904][ T17] binder: send failed reply for transaction 3047, target dead [ 473.060962][T24844] binder: 24833:24844 ioctl c0306201 200002c0 returned -14 03:51:41 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000017b, 0x0) [ 473.092615][ T17] binder: send failed reply for transaction 3051, target dead [ 473.105538][T24848] binder: 24846:24848 sending u0000000000000000 node 3063, cookie mismatch 0000000000000004 != 0000000000000000 03:51:41 executing program 3: openat$ipvs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sys/net/ipv4/vs/sync_refresh_period\x00', 0x2, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000180)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$VIDIOC_S_MODULATOR(0xffffffffffffffff, 0x40445637, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000400)={0x0, 0x3, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, 0x0, 0x242, 0x0, 0x0, 0x0) ioctl$KVM_REGISTER_COALESCED_MMIO(r1, 0x4010ae67, &(0x7f0000000140)={0x0, 0x8000}) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000000000/0x18000)=nil, 0x0, 0x30, 0x0, 0x0, 0xfffffffffffffee3) ioctl$KVM_NMI(r2, 0xae9a) ioctl$KVM_RUN(r2, 0xae80, 0x0) 03:51:41 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000014c, 0x0) 03:51:42 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x6800000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 473.145545][T24848] binder: 24846:24848 ioctl c0306201 200002c0 returned -14 [ 473.178017][T24851] binder_alloc: binder_alloc_mmap_handler: 24846 20001000-20004000 already mapped failed -16 03:51:42 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x4800000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 473.277518][T24848] binder: BINDER_SET_CONTEXT_MGR already set [ 473.337669][T24866] binder: 24846:24866 ioctl c0306201 200002c0 returned -14 [ 473.343051][T24848] binder: 24846:24848 ioctl 40046207 0 returned -16 03:51:42 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x4c00000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:42 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x6c00000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 473.474604][ T17] binder: send failed reply for transaction 3062 to 24846:24848 03:51:42 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x300000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 473.519327][ T17] binder: undelivered TRANSACTION_COMPLETE 03:51:42 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x7400000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:42 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x6800000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:42 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000017c, 0x0) [ 473.678402][T24878] binder: 24877:24878 sending u0000000000000000 node 3075, cookie mismatch 0000000000000004 != 0000000000000000 [ 473.713693][T24890] binder_transaction: 1 callbacks suppressed 03:51:42 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000014d, 0x0) [ 473.713708][T24890] binder: 24883:24890 got transaction with invalid offset (0, min 0 max 0) or object. [ 473.741268][T24878] binder: 24877:24878 ioctl c0306201 200002c0 returned -14 [ 473.751051][T24888] binder: 24887:24888 got transaction with invalid offset (0, min 0 max 0) or object. [ 473.783704][T24893] binder_alloc: binder_alloc_mmap_handler: 24877 20001000-20004000 already mapped failed -16 03:51:42 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x7a00000000000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 473.843263][T24878] binder: BINDER_SET_CONTEXT_MGR already set 03:51:42 executing program 3: sendmsg$key(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, 0x0}, 0x0) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140)='/dev/kvm\x00', 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) r3 = memfd_create(&(0x7f0000000100)='\vem1\xc1\xf8\xa6\x8dN\xc0\xa3\\\xe2\xcb\xa2\xba\xe5\xf4\x97\xac#*\xff', 0x0) mmap(&(0x7f0000000000/0x7000)=nil, 0x7000, 0x0, 0x11, r3, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r2, &(0x7f0000000000/0x18000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0) [ 473.902040][T24878] binder: 24877:24878 ioctl 40046207 0 returned -16 [ 473.902346][T24893] binder_alloc_new_buf_locked: 22 callbacks suppressed [ 473.902354][T24893] binder_alloc: 24877: binder_alloc_buf, no vma 03:51:42 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x6c00000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:42 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000017d, 0x0) [ 473.976005][T24900] binder_alloc: 24877: binder_alloc_buf, no vma [ 474.023162][T24898] binder_alloc: 24877: binder_alloc_buf, no vma [ 474.029601][T24898] binder: 24877:24898 ioctl c0306201 200002c0 returned -14 [ 474.036557][T24905] binder_alloc: 24877: binder_alloc_buf, no vma [ 474.054423][ T17] binder: release 24877:24878 transaction 3074 out, still active 03:51:42 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0xfdfdffff00000000, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 474.090569][ T17] binder: unexpected work type, 4, not freed [ 474.128214][ T17] binder: undelivered TRANSACTION_COMPLETE 03:51:42 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x7400000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:42 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x400000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 474.160731][ T17] binder: send failed reply for transaction 3074, target dead 03:51:43 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:43 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000014e, 0x0) 03:51:43 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x7a00000000000000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 474.351927][T24924] binder: 24919:24924 sending u0000000000000000 node 3088, cookie mismatch 0000000000000004 != 0000000000000000 [ 474.410567][T24926] binder: 24925:24926 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:43 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x10, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) r2 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r2, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 474.461279][T24924] binder: 24919:24924 ioctl c0306201 200002c0 returned -14 [ 474.496679][T24934] binder: 24931:24934 got transaction with invalid offset (0, min 0 max 0) or object. [ 474.512510][T24936] binder_alloc: binder_alloc_mmap_handler: 24919 20001000-20004000 already mapped failed -16 03:51:43 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:43 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:43 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000017e, 0x0) [ 474.607553][T24938] binder: BINDER_SET_CONTEXT_MGR already set [ 474.665547][T24938] binder: 24937:24938 ioctl 40046207 0 returned -16 [ 474.672625][T24943] binder_alloc: 24919: binder_alloc_buf, no vma [ 474.685241][T24947] binder: BINDER_SET_CONTEXT_MGR already set [ 474.694723][T24924] binder_alloc: 24919: binder_alloc_buf, no vma [ 474.705244][T24947] binder: 24919:24947 ioctl 40046207 0 returned -16 03:51:43 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 474.727588][T24936] binder_alloc: 24919: binder_alloc_buf, no vma [ 474.745682][T24948] binder_alloc: 24919: binder_alloc_buf, no vma [ 474.762908][ T12] binder: release 24919:24924 transaction 3087 out, still active [ 474.777358][T24936] binder: 24919:24936 ioctl c0306201 200002c0 returned -14 [ 474.780027][ T12] binder: unexpected work type, 4, not freed [ 474.789605][T24946] binder_alloc: 24919: binder_alloc_buf, no vma 03:51:43 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x3, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 474.831277][T24938] binder_alloc: 24919: binder_alloc_buf, no vma [ 474.835274][ T12] binder: undelivered TRANSACTION_COMPLETE [ 474.871378][ T12] binder: send failed reply for transaction 3087, target dead 03:51:43 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x500000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:43 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000014f, 0x0) [ 474.894028][T24938] binder: 24937:24938 ioctl c0306201 200002c0 returned -14 03:51:43 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:43 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000017f, 0x0) 03:51:43 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x4, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:43 executing program 3: mkdir(&(0x7f0000000000)='./file0\x00', 0x0) [ 475.053846][T24963] binder: 24960:24963 sending u0000000000000000 node 3103, cookie mismatch 0000000000000004 != 0000000000000000 [ 475.111147][T24963] binder: 24960:24963 ioctl c0306201 200002c0 returned -14 [ 475.150346][T24974] binder_alloc: binder_alloc_mmap_handler: 24960 20001000-20004000 already mapped failed -16 03:51:44 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x5, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 475.196078][T24963] binder: BINDER_SET_CONTEXT_MGR already set [ 475.235099][T24963] binder: 24960:24963 ioctl 40046207 0 returned -16 [ 475.238083][T24977] binder: 24960:24977 ioctl c0306201 200002c0 returned -14 03:51:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 475.280970][ T22] binder: release 24960:24963 transaction 3102 out, still active [ 475.308774][ T22] binder: unexpected work type, 4, not freed 03:51:44 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x0, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 475.352366][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:44 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000150, 0x0) [ 475.392594][ T22] binder: send failed reply for transaction 3102, target dead 03:51:44 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x6, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:44 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x600000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 475.523261][T24992] binder: 24991:24992 sending u0000000000000000 node 3114, cookie mismatch 0000000000000004 != 0000000000000000 [ 475.559986][T24992] binder_transaction: 61 callbacks suppressed 03:51:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 475.560004][T24992] binder: 24991:24992 transaction failed 29201/-22, size 24-8 line 3257 [ 475.569280][T24998] binder: 24994:24998 got transaction with invalid data ptr [ 475.608046][T24992] binder: 24991:24992 ioctl c0306201 200002c0 returned -14 03:51:44 executing program 3: perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:44 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000180, 0x0) [ 475.622270][T24998] binder: 24994:24998 transaction failed 29201/-14, size 6-8 line 3179 [ 475.658119][T25000] binder_alloc: binder_alloc_mmap_handler: 24991 20001000-20004000 already mapped failed -16 [ 475.715591][T25004] binder: 25001:25004 transaction failed 29189/-3, size 0-8 line 3147 [ 475.722333][T24992] binder: BINDER_SET_CONTEXT_MGR already set [ 475.738728][T24992] binder: 24991:24992 ioctl 40046207 0 returned -16 03:51:44 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x7, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 475.768587][T25000] binder: 24991:25000 transaction failed 29189/-3, size 24-8 line 3147 03:51:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 475.811978][T25009] binder: 24991:25009 transaction failed 29189/-3, size 24-8 line 3147 [ 475.826995][ T12] binder: release 24991:24992 transaction 3113 out, still active [ 475.837211][T25009] binder: 24991:25009 ioctl c0306201 200002c0 returned -14 [ 475.850122][ T12] binder: unexpected work type, 4, not freed [ 475.892521][ T12] binder: undelivered TRANSACTION_COMPLETE [ 475.893907][T25013] binder: 25011:25013 transaction failed 29189/-3, size 7-8 line 3147 03:51:44 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x700000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 475.935839][ T12] binder: send failed reply for transaction 3113, target dead [ 475.963685][T25017] binder: 25014:25017 transaction failed 29189/-22, size 0-8 line 2994 03:51:44 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 476.074533][T25020] binder: 25019:25020 sending u0000000000000000 node 3125, cookie mismatch 0000000000000004 != 0000000000000000 03:51:44 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000151, 0x0) 03:51:44 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:44 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000181, 0x0) [ 476.125601][T25020] binder: 25019:25020 transaction failed 29201/-22, size 24-8 line 3257 [ 476.146273][T25025] binder: 25023:25025 got transaction with invalid data ptr [ 476.169627][T25020] binder: 25019:25020 ioctl c0306201 200002c0 returned -14 [ 476.194804][T25025] binder: 25023:25025 transaction failed 29201/-14, size 8-8 line 3179 [ 476.215559][T25031] binder_alloc: binder_alloc_mmap_handler: 25019 20001000-20004000 already mapped failed -16 [ 476.230747][T25029] binder: 25028:25029 got transaction with invalid offset (0, min 0 max 0) or object. [ 476.260217][T25020] binder: BINDER_SET_CONTEXT_MGR already set 03:51:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x6, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 476.285150][T25029] binder: 25028:25029 transaction failed 29201/-22, size 0-8 line 3241 [ 476.308650][T25020] binder: 25019:25020 ioctl 40046207 0 returned -16 03:51:45 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0xa, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x48, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 476.352541][ T22] binder_release_work: 62 callbacks suppressed [ 476.352549][ T22] binder: undelivered TRANSACTION_ERROR: 29201 [ 476.391567][T25039] binder: 25019:25039 ioctl c0306201 200002c0 returned -14 [ 476.430489][ T22] binder: undelivered TRANSACTION_ERROR: 29201 [ 476.461407][ T22] binder: send failed reply for transaction 3124 to 25019:25020 [ 476.495771][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 476.519794][ T22] binder: undelivered TRANSACTION_ERROR: 29189 03:51:45 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x800000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x4c, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:45 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x48, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 476.545602][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 476.631311][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 476.669727][ T22] binder: undelivered TRANSACTION_ERROR: 29189 03:51:45 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000182, 0x0) [ 476.675773][T25054] binder: 25052:25054 sending u0000000000000000 node 3137, cookie mismatch 0000000000000004 != 0000000000000000 [ 476.693480][T25057] binder: 25053:25057 got transaction with invalid offset (0, min 0 max 0) or object. [ 476.704639][ T22] binder: undelivered TRANSACTION_COMPLETE [ 476.712346][T25056] binder: 25055:25056 got transaction with invalid data ptr [ 476.718624][T25059] binder: 25047:25059 got transaction with invalid data ptr [ 476.726626][ T22] binder: undelivered TRANSACTION_ERROR: 29201 [ 476.756567][T25054] binder: 25052:25054 ioctl c0306201 200002c0 returned -14 [ 476.760784][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 476.792776][T25062] binder_alloc: binder_alloc_mmap_handler: 25052 20001000-20004000 already mapped failed -16 03:51:45 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:45 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000152, 0x0) 03:51:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x60, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:45 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x4c, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 476.820074][ T22] binder: undelivered TRANSACTION_ERROR: 29201 [ 476.897406][T25054] binder: BINDER_SET_CONTEXT_MGR already set [ 476.937619][T25054] binder: 25052:25054 ioctl 40046207 0 returned -16 [ 476.937984][T25074] binder: 25052:25074 ioctl c0306201 200002c0 returned -14 03:51:45 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x68, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:45 executing program 3: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000126, 0x0) [ 477.016527][ T22] binder: release 25052:25054 transaction 3136 out, still active [ 477.034822][ T22] binder: unexpected work type, 4, not freed 03:51:45 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x68, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 477.065148][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:45 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0xa00000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 477.152188][ T22] binder: send failed reply for transaction 3136, target dead 03:51:46 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x6c, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 477.203274][T25086] binder: 25085:25086 sending u0000000000000000 node 3150, cookie mismatch 0000000000000004 != 0000000000000000 03:51:46 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000183, 0x0) [ 477.245879][T25090] binder: 25083:25090 got transaction with invalid offset (0, min 0 max 0) or object. [ 477.272226][T25086] binder: 25085:25086 ioctl c0306201 200002c0 returned -14 03:51:46 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x6c, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:46 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000153, 0x0) [ 477.336608][T25095] binder_alloc: binder_alloc_mmap_handler: 25085 20001000-20004000 already mapped failed -16 [ 477.352161][T25086] binder: BINDER_SET_CONTEXT_MGR already set [ 477.358966][T25086] binder: 25085:25086 ioctl 40046207 0 returned -16 03:51:46 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x74, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 477.406144][ T12] binder: release 25085:25086 transaction 3149 out, still active [ 477.442226][ T12] binder: unexpected work type, 4, not freed 03:51:46 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x1000000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 477.504074][ T12] binder: undelivered TRANSACTION_COMPLETE [ 477.543395][ T12] binder: send failed reply for transaction 3149, target dead 03:51:46 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x7a, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:46 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x74, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 477.632231][T25111] binder: 25110:25111 sending u0000000000000000 node 3160, cookie mismatch 0000000000000004 != 0000000000000000 [ 477.692117][T25111] binder: 25110:25111 ioctl c0306201 200002c0 returned -14 03:51:46 executing program 3: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000126, 0x0) [ 477.760467][T25119] binder_alloc: binder_alloc_mmap_handler: 25110 20001000-20004000 already mapped failed -16 03:51:46 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000184, 0x0) 03:51:46 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x7a, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:46 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x300, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 477.826352][T25123] binder: 25110:25123 ioctl c0306201 200002c0 returned -14 03:51:46 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000154, 0x0) [ 477.929796][T25122] binder: BINDER_SET_CONTEXT_MGR already set [ 477.944761][ T12] binder: release 25110:25111 transaction 3159 out, still active [ 477.953141][T25122] binder: 25110:25122 ioctl 40046207 0 returned -16 03:51:46 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x500, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:46 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000185, 0x0) [ 477.992069][ T12] binder: unexpected work type, 4, not freed [ 478.028257][ T12] binder: undelivered TRANSACTION_COMPLETE 03:51:46 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x2000000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 478.072739][ T12] binder: send failed reply for transaction 3159, target dead 03:51:46 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x300, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 478.228327][T25148] binder: 25143:25148 sending u0000000000000000 node 3172, cookie mismatch 0000000000000004 != 0000000000000000 03:51:47 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x600, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 478.293843][T25151] binder: 25150:25151 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:47 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000155, 0x0) [ 478.365965][T25148] binder: 25143:25148 ioctl c0306201 200002c0 returned -14 03:51:47 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000186, 0x0) 03:51:47 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) [ 478.413739][T25160] binder_alloc: binder_alloc_mmap_handler: 25143 20001000-20004000 already mapped failed -16 03:51:47 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x500, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 478.456498][T25148] binder: BINDER_SET_CONTEXT_MGR already set 03:51:47 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x700, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 478.507623][T25148] binder: 25143:25148 ioctl 40046207 0 returned -16 [ 478.507700][T25167] binder: 25143:25167 ioctl c0306201 200002c0 returned -14 [ 478.584595][ T12] binder: release 25143:25148 transaction 3171 out, still active [ 478.599424][ T12] binder: unexpected work type, 4, not freed 03:51:47 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x600, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 478.628897][ T12] binder: undelivered TRANSACTION_COMPLETE [ 478.657030][ T12] binder: send failed reply for transaction 3171, target dead 03:51:47 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0xa00, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:47 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000187, 0x0) 03:51:47 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4800000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:47 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x700, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 478.890987][T25187] binder: 25183:25187 sending u0000000000000000 node 3185, cookie mismatch 0000000000000004 != 0000000000000000 03:51:47 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000156, 0x0) 03:51:47 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x4800, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:47 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000188, 0x0) [ 478.962418][T25187] binder: 25183:25187 ioctl c0306201 200002c0 returned -14 [ 479.023150][T25195] binder_alloc: binder_alloc_mmap_handler: 25183 20001000-20004000 already mapped failed -16 [ 479.040031][T25196] binder_alloc_new_buf_locked: 29 callbacks suppressed [ 479.040041][T25196] binder_alloc: 25183: binder_alloc_buf, no vma [ 479.067965][T25187] binder: BINDER_SET_CONTEXT_MGR already set [ 479.117806][T25187] binder: 25183:25187 ioctl 40046207 0 returned -16 [ 479.130662][T25201] binder_alloc: 25183: binder_alloc_buf, no vma 03:51:47 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0xa00, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 479.165380][T25195] binder_alloc: 25183: binder_alloc_buf, no vma [ 479.221514][ T22] binder: release 25183:25187 transaction 3184 out, still active [ 479.235745][T25195] binder: 25183:25195 ioctl c0306201 200002c0 returned -14 [ 479.247969][ T22] binder: unexpected work type, 4, not freed [ 479.268914][ T22] binder: undelivered TRANSACTION_COMPLETE [ 479.288566][T25205] binder_alloc: 25183: binder_alloc_buf, no vma [ 479.308176][ T22] binder: send failed reply for transaction 3184, target dead 03:51:48 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r0 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r0, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) sendmmsg(r0, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:48 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x4c00, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:48 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x4c00000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x2000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:48 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000189, 0x0) 03:51:48 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000157, 0x0) [ 479.574585][T25220] binder: 25215:25220 sending u0000000000000000 node 3194, cookie mismatch 0000000000000004 != 0000000000000000 [ 479.597403][T25216] binder: 25213:25216 got transaction with invalid offset (0, min 0 max 0) or object. [ 479.609382][T25220] binder: 25215:25220 ioctl c0306201 200002c0 returned -14 03:51:48 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x6800, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 479.648305][T25226] binder_alloc: binder_alloc_mmap_handler: 25215 20001000-20004000 already mapped failed -16 03:51:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x4800, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 479.753388][T25231] binder_alloc: 25215: binder_alloc_buf, no vma 03:51:48 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x6c00, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 479.834693][T25235] binder: BINDER_SET_CONTEXT_MGR already set [ 479.879976][T25235] binder: 25215:25235 ioctl 40046207 0 returned -16 [ 479.880319][T25226] binder_alloc: 25215: binder_alloc_buf, no vma [ 479.984798][ T22] binder: release 25215:25220 transaction 3193 out, still active [ 479.994722][T25234] binder_alloc: 25215: binder_alloc_buf, no vma [ 480.009156][T25226] binder: 25215:25226 ioctl c0306201 200002c0 returned -14 [ 480.021352][ T22] binder: unexpected work type, 4, not freed [ 480.043313][T25238] binder_alloc: 25215: binder_alloc_buf, no vma [ 480.069416][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:48 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x4c00, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:48 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000158, 0x0) [ 480.088024][T25220] binder_alloc: 25215: binder_alloc_buf, no vma [ 480.105111][ T22] binder: send failed reply for transaction 3193, target dead 03:51:48 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000018a, 0x0) 03:51:49 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x7400000000000000, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:49 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6800000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:49 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x7400, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x6000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:49 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000018b, 0x0) [ 480.595844][T25259] binder_transaction: 51 callbacks suppressed [ 480.595861][T25259] binder: 25257:25259 transaction failed 29189/-22, size 0-8 line 2994 [ 480.617684][T25260] binder: 25256:25260 transaction failed 29189/-22, size 24-8 line 2994 [ 480.628577][T25264] binder: 25258:25264 transaction failed 29189/-22, size 29696-8 line 2994 03:51:49 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000159, 0x0) 03:51:49 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000018c, 0x0) 03:51:49 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x7a00, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 480.657243][T25269] binder: 25263:25269 transaction failed 29189/-22, size 0-8 line 2994 [ 480.692201][T25260] binder: 25256:25260 ioctl c0306201 200002c0 returned -14 03:51:49 executing program 3: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000116, 0x0) 03:51:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x6800, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 480.731655][T25265] binder: 25256:25265 transaction failed 29189/-22, size 24-8 line 2994 [ 480.814048][T25265] binder: 25256:25265 ioctl c0306201 200002c0 returned -14 03:51:49 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000018d, 0x0) [ 480.859984][T25283] binder: 25277:25283 transaction failed 29189/-22, size 31232-8 line 2994 03:51:49 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x6c00000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 480.928791][T25286] binder: 25282:25286 transaction failed 29189/-22, size 0-8 line 2994 03:51:49 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x1000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:49 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x6c00, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 481.130544][T25295] binder: 25293:25295 transaction failed 29189/-22, size 16777216-8 line 2994 [ 481.145098][T25296] binder: 25291:25296 sending u0000000000000000 node 3215, cookie mismatch 0000000000000004 != 0000000000000000 [ 481.207426][T25298] binder: 25297:25298 got transaction with invalid offset (0, min 0 max 0) or object. [ 481.227636][T25296] binder: 25291:25296 transaction failed 29201/-22, size 24-8 line 3257 03:51:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x2000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 481.258629][T25296] binder: 25291:25296 ioctl c0306201 200002c0 returned -14 [ 481.280777][T25298] binder: 25297:25298 transaction failed 29201/-22, size 0-8 line 3241 03:51:50 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000015a, 0x0) [ 481.335224][T25301] binder_alloc: binder_alloc_mmap_handler: 25291 20001000-20004000 already mapped failed -16 [ 481.381056][T25296] binder: BINDER_SET_CONTEXT_MGR already set 03:51:50 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000018e, 0x0) 03:51:50 executing program 3: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000116, 0x0) [ 481.425105][T25296] binder: 25291:25296 ioctl 40046207 0 returned -16 [ 481.425415][T25301] binder_alloc: 25291: binder_alloc_buf, no vma [ 481.452422][ T22] binder_release_work: 53 callbacks suppressed [ 481.452429][ T22] binder: undelivered TRANSACTION_ERROR: 29201 03:51:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x7400, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 481.487531][T25303] binder: 25291:25303 ioctl c0306201 200002c0 returned -14 [ 481.529723][ T22] binder: send failed reply for transaction 3214 to 25291:25296 03:51:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x3000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 481.579588][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 481.611342][ T22] binder: undelivered TRANSACTION_ERROR: 29189 03:51:50 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7400000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 481.637847][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 481.669377][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x7a00, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:50 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000018f, 0x0) [ 481.697350][ T22] binder: undelivered TRANSACTION_ERROR: 29201 [ 481.710864][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 481.773439][ T22] binder: undelivered TRANSACTION_ERROR: 29189 03:51:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x4000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 481.847807][T25328] binder: 25325:25328 sending u0000000000000000 node 3226, cookie mismatch 0000000000000004 != 0000000000000000 [ 481.860772][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 481.873694][T25330] binder: 25327:25330 got transaction with invalid offset (0, min 0 max 0) or object. [ 481.930484][T25328] binder: 25325:25328 ioctl c0306201 200002c0 returned -14 03:51:50 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000190, 0x0) 03:51:50 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000015b, 0x0) 03:51:50 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x1000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:50 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x5000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 481.990391][T25336] binder_alloc: binder_alloc_mmap_handler: 25325 20001000-20004000 already mapped failed -16 [ 482.016680][T25328] binder: BINDER_SET_CONTEXT_MGR already set [ 482.056984][T25328] binder: 25325:25328 ioctl 40046207 0 returned -16 [ 482.099365][T25338] binder: 25325:25338 ioctl c0306201 200002c0 returned -14 [ 482.099864][ T22] binder: undelivered TRANSACTION_ERROR: 29201 03:51:50 executing program 3: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000015a, 0x0) [ 482.145463][ T22] binder: send failed reply for transaction 3225 to 25325:25328 [ 482.171178][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 482.191901][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:51 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x7a00000000000000, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:51 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x6000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:51 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000191, 0x0) [ 482.412153][T25360] binder: 25358:25360 sending u0000000000000000 node 3238, cookie mismatch 0000000000000004 != 0000000000000000 03:51:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x3000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:51 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x7000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 482.495239][T25360] binder: 25358:25360 ioctl c0306201 200002c0 returned -14 03:51:51 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000015c, 0x0) [ 482.545737][T25368] binder_alloc: binder_alloc_mmap_handler: 25358 20001000-20004000 already mapped failed -16 [ 482.611925][T25360] binder: BINDER_SET_CONTEXT_MGR already set [ 482.641819][T25360] binder: 25358:25360 ioctl 40046207 0 returned -16 03:51:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x4000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:51 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000192, 0x0) [ 482.661102][T25377] binder: 25358:25377 ioctl c0306201 200002c0 returned -14 [ 482.694064][ T12] binder: release 25358:25360 transaction 3237 out, still active [ 482.733875][ T12] binder: unexpected work type, 4, not freed 03:51:51 executing program 3: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000015a, 0x0) 03:51:51 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x8000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:51 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 482.775643][ T12] binder: undelivered TRANSACTION_COMPLETE 03:51:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x5000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 482.842026][ T12] binder: send failed reply for transaction 3237, target dead 03:51:51 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0xa000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 482.958093][T25395] binder: 25394:25395 sending u0000000000000000 node 3250, cookie mismatch 0000000000000004 != 0000000000000000 [ 482.986831][T25397] binder: 25396:25397 got transaction with invalid offset (0, min 0 max 0) or object. [ 483.032031][T25395] binder: 25394:25395 ioctl c0306201 200002c0 returned -14 03:51:51 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x6000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 483.102440][T25400] binder_alloc: binder_alloc_mmap_handler: 25394 20001000-20004000 already mapped failed -16 [ 483.138956][T25395] binder: BINDER_SET_CONTEXT_MGR already set 03:51:52 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x48000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:52 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000015d, 0x0) [ 483.182809][T25395] binder: 25394:25395 ioctl 40046207 0 returned -16 [ 483.286060][T25409] binder: 25394:25409 ioctl c0306201 200002c0 returned -14 [ 483.319953][ T22] binder: send failed reply for transaction 3249 to 25394:25395 03:51:52 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x7000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:52 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:52 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x3, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:52 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000193, 0x0) [ 483.342877][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:52 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x4c000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 483.502855][T25426] binder: 25421:25426 sending u0000000000000000 node 3261, cookie mismatch 0000000000000004 != 0000000000000000 [ 483.525227][T25424] binder: 25423:25424 got transaction with invalid offset (0, min 0 max 0) or object. [ 483.580675][T25426] binder: 25421:25426 ioctl c0306201 200002c0 returned -14 03:51:52 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x8000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 483.626566][T25431] binder_alloc: binder_alloc_mmap_handler: 25421 20001000-20004000 already mapped failed -16 [ 483.672736][T25426] binder: BINDER_SET_CONTEXT_MGR already set [ 483.702507][T25426] binder: 25421:25426 ioctl 40046207 0 returned -16 03:51:52 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000194, 0x0) 03:51:52 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x68000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 483.733278][T25435] binder: 25421:25435 ioctl c0306201 200002c0 returned -14 [ 483.752637][ T12] binder: release 25421:25426 transaction 3260 out, still active [ 483.779189][ T12] binder: unexpected work type, 4, not freed 03:51:52 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000015e, 0x0) 03:51:52 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 483.831889][ T12] binder: undelivered TRANSACTION_COMPLETE [ 483.870857][ T12] binder: send failed reply for transaction 3260, target dead 03:51:52 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0xa000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:52 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x6c000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 484.016865][T25449] binder: 25447:25449 sending u0000000000000000 node 3272, cookie mismatch 0000000000000004 != 0000000000000000 [ 484.102065][T25449] binder: 25447:25449 ioctl c0306201 200002c0 returned -14 [ 484.155654][T25456] binder_alloc: binder_alloc_mmap_handler: 25447 20001000-20004000 already mapped failed -16 [ 484.159562][T25455] binder_alloc_new_buf_locked: 17 callbacks suppressed [ 484.159571][T25455] binder_alloc: 25447: binder_alloc_buf, no vma [ 484.221579][T25449] binder: BINDER_SET_CONTEXT_MGR already set [ 484.255527][T25457] binder_alloc: 25447: binder_alloc_buf, no vma [ 484.264416][T25449] binder: 25447:25449 ioctl 40046207 0 returned -16 03:51:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x20000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 484.303661][T25456] binder_alloc: 25447: binder_alloc_buf, no vma [ 484.353144][ T22] binder: send failed reply for transaction 3271 to 25447:25449 [ 484.371443][T25459] binder_alloc: 25447: binder_alloc_buf, no vma [ 484.382107][ T22] binder: undelivered TRANSACTION_COMPLETE [ 484.443942][T25459] binder: 25447:25459 ioctl c0306201 200002c0 returned -14 03:51:53 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x3, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:53 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x74000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:53 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x5, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:53 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000015f, 0x0) 03:51:53 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000195, 0x0) 03:51:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x48000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 484.716568][T25481] binder: 25471:25481 sending u0000000000000000 node 3283, cookie mismatch 0000000000000004 != 0000000000000000 [ 484.740829][T25482] binder: 25475:25482 got transaction with invalid offset (0, min 0 max 0) or object. [ 484.742024][T25483] binder: BINDER_SET_CONTEXT_MGR already set [ 484.758638][T25481] binder: 25471:25481 ioctl c0306201 200002c0 returned -14 03:51:53 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x7a000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 484.786615][T25483] binder: 25480:25483 ioctl 40046207 0 returned -16 [ 484.824934][T25486] binder_alloc: binder_alloc_mmap_handler: 25471 20001000-20004000 already mapped failed -16 03:51:53 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000196, 0x0) 03:51:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x4c000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 484.829271][T25487] binder_alloc: 25471: binder_alloc_buf, no vma [ 484.900005][T25481] binder: BINDER_SET_CONTEXT_MGR already set [ 484.943891][T25481] binder: 25471:25481 ioctl 40046207 0 returned -16 [ 484.962077][T25487] binder: 25480:25487 ioctl c0306201 200002c0 returned -14 [ 484.972142][T25489] binder_alloc: 25471: binder_alloc_buf, no vma 03:51:53 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000160, 0x0) [ 484.990003][T25496] binder_alloc: 25471: binder_alloc_buf, no vma [ 485.021406][T25486] binder_alloc: 25471: binder_alloc_buf, no vma [ 485.034519][ T12] binder: release 25480:25487 transaction 3287 out, still active [ 485.059770][ T12] binder: unexpected work type, 4, not freed 03:51:53 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x100000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 485.071388][T25497] binder_alloc: 25471: binder_alloc_buf, no vma [ 485.101924][T25497] binder: 25471:25497 ioctl c0306201 200002c0 returned -14 03:51:53 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x60000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 485.117679][ T12] binder: undelivered TRANSACTION_COMPLETE 03:51:53 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) [ 485.145543][ T12] binder: send failed reply for transaction 3282 to 25471:25481 [ 485.206048][ T12] binder: send failed reply for transaction 3287, target dead 03:51:54 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 485.260877][ T12] binder: undelivered TRANSACTION_COMPLETE 03:51:54 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x200000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x68000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:54 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000197, 0x0) [ 485.394773][T25514] binder: 25511:25514 sending u0000000000000000 node 3299, cookie mismatch 0000000000000004 != 0000000000000000 [ 485.492136][T25514] binder: 25511:25514 ioctl c0306201 200002c0 returned -14 [ 485.549533][T25523] binder: 25520:25523 got transaction with invalid offset (0, min 0 max 0) or object. [ 485.580023][T25525] binder_alloc: binder_alloc_mmap_handler: 25511 20001000-20004000 already mapped failed -16 03:51:54 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x300000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:54 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000161, 0x0) [ 485.606802][T25523] binder_transaction: 53 callbacks suppressed [ 485.606833][T25523] binder: 25520:25523 transaction failed 29201/-22, size 0-8 line 3241 03:51:54 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000198, 0x0) [ 485.679915][T25514] binder: BINDER_SET_CONTEXT_MGR already set [ 485.729795][T25514] binder: 25511:25514 ioctl 40046207 0 returned -16 03:51:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x6c000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 485.781973][ T22] binder: release 25511:25514 transaction 3298 out, still active [ 485.793012][T25525] binder_alloc: 25511: binder_alloc_buf, no vma [ 485.809339][ T22] binder: unexpected work type, 4, not freed [ 485.842636][ T22] binder: undelivered TRANSACTION_COMPLETE [ 485.851510][T25535] binder: 25533:25535 transaction failed 29189/-3, size 216172782113783808-8 line 3147 [ 485.863921][T25532] binder: 25511:25532 transaction failed 29189/-3, size 24-8 line 3147 [ 485.886779][ T22] binder: send failed reply for transaction 3298, target dead [ 485.909116][T25525] binder: 25511:25525 transaction failed 29189/-3, size 24-8 line 3147 03:51:54 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x400000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 485.939805][T25532] binder: 25511:25532 ioctl c0306201 200002c0 returned -14 [ 485.964048][T25539] binder: 25538:25539 transaction failed 29189/-22, size 0-8 line 2994 03:51:54 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:54 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x74000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 486.172257][T25547] binder: 25545:25547 transaction failed 29189/-22, size 288230376151711744-8 line 2994 [ 486.206257][T25550] binder: 25546:25550 sending u0000000000000000 node 3311, cookie mismatch 0000000000000004 != 0000000000000000 [ 486.234570][T25551] binder: 25548:25551 got transaction with invalid offset (0, min 0 max 0) or object. [ 486.244485][T25550] binder: 25546:25550 transaction failed 29201/-22, size 24-8 line 3257 [ 486.272564][T25550] binder: 25546:25550 ioctl c0306201 200002c0 returned -14 [ 486.278212][T25551] binder: 25548:25551 transaction failed 29201/-22, size 0-8 line 3241 [ 486.292800][T25553] binder_alloc: binder_alloc_mmap_handler: 25546 20001000-20004000 already mapped failed -16 [ 486.311933][T25550] binder: BINDER_SET_CONTEXT_MGR already set [ 486.324851][T25550] binder: 25546:25550 ioctl 40046207 0 returned -16 [ 486.339542][T25553] binder: 25546:25553 transaction failed 29189/-3, size 24-8 line 3147 [ 486.358590][T25555] binder: 25546:25555 transaction failed 29189/-3, size 24-8 line 3147 [ 486.374960][ T12] binder: release 25546:25550 transaction 3310 out, still active 03:51:55 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:55 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x1000000000000199, 0x0) 03:51:55 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000162, 0x0) 03:51:55 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x500000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x7a000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 486.385473][T25555] binder: 25546:25555 ioctl c0306201 200002c0 returned -14 [ 486.395102][ T12] binder: unexpected work type, 4, not freed [ 486.429839][ T12] binder: undelivered TRANSACTION_COMPLETE [ 486.477702][ T12] binder_release_work: 56 callbacks suppressed [ 486.477709][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 486.499771][T25565] binder: BINDER_SET_CONTEXT_MGR already set [ 486.511274][T25565] binder: 25561:25565 ioctl 40046207 0 returned -16 03:51:55 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x8, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 486.524072][ T12] binder: undelivered TRANSACTION_ERROR: 29201 03:51:55 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x600000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 486.561111][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 486.573546][T25565] binder: 25561:25565 ioctl c0306201 200002c0 returned -14 [ 486.603346][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 486.631641][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 486.665653][ T12] binder: send failed reply for transaction 3310, target dead [ 486.695500][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 486.703580][T25572] binder: 25570:25572 sending u0000000000000000 node 3322, cookie mismatch 0000000000000004 != 0000000000000000 03:51:55 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000163, 0x0) 03:51:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0xfdfdffff, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 486.730977][T25572] binder: 25570:25572 ioctl c0306201 200002c0 returned -14 [ 486.742215][ T22] binder: undelivered TRANSACTION_ERROR: 29189 03:51:55 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) 03:51:55 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000019a, 0x0) [ 486.831493][T25582] binder_alloc: binder_alloc_mmap_handler: 25570 20001000-20004000 already mapped failed -16 03:51:55 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x700000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:55 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffdfd, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 486.948822][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 486.960216][T25591] binder: 25570:25591 ioctl c0306201 200002c0 returned -14 [ 486.967610][T25572] binder: BINDER_SET_CONTEXT_MGR already set [ 487.036605][ T12] binder: release 25570:25572 transaction 3321 out, still active [ 487.046457][T25572] binder: 25570:25572 ioctl 40046207 0 returned -16 [ 487.076483][ T12] binder: unexpected work type, 4, not freed 03:51:55 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xa, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:55 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x800000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 487.126194][ T12] binder: undelivered TRANSACTION_COMPLETE [ 487.174289][ T12] binder: undelivered TRANSACTION_ERROR: 29201 03:51:56 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x100000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 487.225820][ T12] binder: undelivered TRANSACTION_ERROR: 29189 03:51:56 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000019b, 0x0) [ 487.287158][T25606] binder: BINDER_SET_CONTEXT_MGR already set 03:51:56 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0xa00000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 487.361964][T25606] binder: 25602:25606 ioctl 40046207 0 returned -16 [ 487.362427][ T12] binder: send failed reply for transaction 3321, target dead [ 487.382286][T25611] binder: 25602:25611 ioctl c0306201 200002c0 returned -14 03:51:56 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000164, 0x0) 03:51:56 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x200000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 487.440829][T25610] binder_alloc: binder_alloc_mmap_handler: 25602 20001000-20004000 already mapped failed -16 [ 487.519181][T25610] binder: 25602:25610 ioctl c0306201 200002c0 returned -14 03:51:56 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x4800000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:56 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000000)=0x4) socket$packet(0x11, 0x0, 0x300) 03:51:56 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x10, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:56 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x4c00000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:56 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000019c, 0x0) 03:51:56 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x300000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 487.913867][T25643] binder: 25639:25643 got transaction with invalid offset (0, min 0 max 0) or object. [ 487.925906][T25644] binder: 25635:25644 sending u0000000000000000 node 3344, cookie mismatch 0000000000000004 != 0000000000000000 03:51:56 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x6800000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 487.960902][T25644] binder: 25635:25644 ioctl c0306201 200002c0 returned -14 03:51:56 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000019d, 0x0) 03:51:56 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000165, 0x0) 03:51:56 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x400000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 488.034418][T25644] binder: BINDER_SET_CONTEXT_MGR already set [ 488.048134][T25647] binder_alloc: binder_alloc_mmap_handler: 25635 20001000-20004000 already mapped failed -16 [ 488.063958][T25644] binder: 25635:25644 ioctl 40046207 0 returned -16 [ 488.162107][ T22] binder: release 25635:25644 transaction 3343 out, still active [ 488.181094][ T22] binder: unexpected work type, 4, not freed 03:51:57 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x6c00000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 488.217071][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:57 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x500000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:57 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x48, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 488.258217][ T22] binder: send failed reply for transaction 3343, target dead [ 488.479185][T25675] binder: 25671:25675 sending u0000000000000000 node 3353, cookie mismatch 0000000000000004 != 0000000000000000 [ 488.553091][T25675] binder: 25671:25675 ioctl c0306201 200002c0 returned -14 [ 488.576823][T25679] binder_alloc: binder_alloc_mmap_handler: 25671 20001000-20004000 already mapped failed -16 [ 488.590371][T25675] binder: BINDER_SET_CONTEXT_MGR already set [ 488.599652][T25680] binder: 25671:25680 ioctl c0306201 200002c0 returned -14 [ 488.630785][T25675] binder: 25671:25675 ioctl 40046207 0 returned -16 [ 488.644927][ T22] binder: release 25671:25675 transaction 3352 out, still active [ 488.657013][ T22] binder: unexpected work type, 4, not freed [ 488.679182][ T22] binder: undelivered TRANSACTION_COMPLETE [ 488.710440][ T22] binder: send failed reply for transaction 3352, target dead 03:51:57 executing program 3: perf_event_open(0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) r0 = socket$packet(0x11, 0x0, 0x300) r1 = fcntl$dupfd(r0, 0x0, 0xffffffffffffffff) perf_event_open(&(0x7f000001d000)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) r2 = socket$inet6(0xa, 0x3, 0x7) connect$inet6(r2, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback}, 0x1c) setsockopt$inet6_IPV6_XFRM_POLICY(r2, 0x29, 0x23, &(0x7f0000000340)={{{@in=@loopback, @in=@broadcast, 0x0, 0x0, 0x0, 0x0, 0xa}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@broadcast, 0x0, 0xff}, 0x0, @in=@empty, 0x0, 0x4, 0x0, 0x6, 0x8}}, 0xe8) ioctl$DRM_IOCTL_ADD_CTX(r1, 0xc0086420, &(0x7f0000000080)={0x0}) ioctl$DRM_IOCTL_RM_CTX(r1, 0xc0086421, &(0x7f0000000100)={r3}) sendmmsg(r2, &(0x7f0000000480), 0x2e9, 0xffd8) fcntl$F_SET_FILE_RW_HINT(r0, 0x40e, &(0x7f0000000000)=0x4) socket$packet(0x11, 0x0, 0x300) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, 0x0) sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x0) 03:51:57 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000019e, 0x0) 03:51:57 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x7400000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:57 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x600000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:57 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000166, 0x0) 03:51:57 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4c, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:57 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x7a00000000000000, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 488.864713][T25693] binder: 25684:25693 sending u0000000000000000 node 3362, cookie mismatch 0000000000000004 != 0000000000000000 03:51:57 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x700000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 488.940173][T25693] binder: 25684:25693 ioctl c0306201 200002c0 returned -14 03:51:57 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x100000000000019f, 0x0) [ 488.992466][T25699] binder_alloc: binder_alloc_mmap_handler: 25684 20001000-20004000 already mapped failed -16 [ 489.055204][T25704] binder: 25684:25704 ioctl c0306201 200002c0 returned -14 03:51:57 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x2, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 489.114230][ T12] binder: release 25684:25693 transaction 3361 out, still active [ 489.141784][ T12] binder: unexpected work type, 4, not freed 03:51:58 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x68, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 489.207641][ T12] binder: undelivered TRANSACTION_COMPLETE 03:51:58 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x800000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 489.259718][ T12] binder: send failed reply for transaction 3361, target dead [ 489.362711][T25718] binder: 25716:25718 sending u0000000000000000 node 3372, cookie mismatch 0000000000000004 != 0000000000000000 [ 489.411102][T25722] binder: 25719:25722 got transaction with invalid offset (0, min 0 max 0) or object. [ 489.427397][T25718] binder: 25716:25718 ioctl c0306201 200002c0 returned -14 [ 489.450440][T25723] binder_alloc: binder_alloc_mmap_handler: 25716 20001000-20004000 already mapped failed -16 [ 489.498369][T25718] binder: BINDER_SET_CONTEXT_MGR already set [ 489.519057][T25718] binder: 25716:25718 ioctl 40046207 0 returned -16 [ 489.528984][T25726] binder_alloc_new_buf_locked: 23 callbacks suppressed [ 489.528991][T25726] binder_alloc: 25716: binder_alloc_buf, no vma [ 489.556230][T25723] binder_alloc: 25716: binder_alloc_buf, no vma [ 489.563755][T25726] binder: 25716:25726 ioctl c0306201 200002c0 returned -14 [ 489.572693][ T12] binder: release 25716:25718 transaction 3371 out, still active [ 489.584688][ T12] binder: unexpected work type, 4, not freed [ 489.599535][ T12] binder: undelivered TRANSACTION_COMPLETE [ 489.615763][ T12] binder: send failed reply for transaction 3371, target dead 03:51:58 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6800000000000000, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:58 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x3, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:58 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000167, 0x0) 03:51:58 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001a0, 0x0) 03:51:58 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0xa00000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:58 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6c, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 489.919275][T25740] binder: 25730:25740 got transaction with invalid offsets size, 3 [ 489.919734][T25738] binder: 25729:25738 sending u0000000000000000 node 3381, cookie mismatch 0000000000000004 != 0000000000000000 03:51:58 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x4, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 489.960009][T25736] binder: 25734:25736 got transaction with invalid offset (0, min 0 max 0) or object. [ 490.009400][T25741] binder: 25739:25741 got transaction with invalid offset (0, min 0 max 0) or object. 03:51:58 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 490.056386][T25738] binder: 25729:25738 ioctl c0306201 200002c0 returned -14 [ 490.097855][T25744] binder: 25743:25744 got transaction with invalid offsets size, 4 [ 490.145905][T25745] binder_alloc: binder_alloc_mmap_handler: 25729 20001000-20004000 already mapped failed -16 [ 490.176080][T25745] binder_alloc: 25729: binder_alloc_buf, no vma 03:51:58 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x3, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 490.190576][T25748] binder_alloc: 25729: binder_alloc_buf, no vma 03:51:59 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x5, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 490.219706][T25748] binder: 25729:25748 ioctl c0306201 200002c0 returned -14 [ 490.230046][T25749] binder_alloc: 25729: binder_alloc_buf, no vma [ 490.236675][T25738] binder: BINDER_SET_CONTEXT_MGR already set 03:51:59 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001a1, 0x0) 03:51:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x4800000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:59 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, 0x0, 0x0) getdents(r0, 0x0, 0x0) 03:51:59 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000169, 0x0) [ 490.312008][ T22] binder: send failed reply for transaction 3380 to 25729:25738 [ 490.321173][T25738] binder: 25729:25738 ioctl 40046207 0 returned -16 [ 490.346294][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:59 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x6, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:59 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x74, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:51:59 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001a2, 0x0) 03:51:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x4c00000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:59 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x7, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 490.634461][T25778] binder: 25775:25778 sending u0000000000000000 node 3396, cookie mismatch 0000000000000004 != 0000000000000000 [ 490.722059][T25778] binder_transaction: 52 callbacks suppressed [ 490.722078][T25778] binder: 25775:25778 transaction failed 29201/-22, size 24-8 line 3257 [ 490.796351][T25788] binder: 25784:25788 got transaction with invalid offset (0, min 0 max 0) or object. [ 490.817361][T25778] binder: 25775:25778 ioctl c0306201 200002c0 returned -14 [ 490.828830][T25789] binder: 25786:25789 got transaction with invalid offsets size, 7 03:51:59 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001a3, 0x0) [ 490.841893][T25788] binder: 25784:25788 transaction failed 29201/-22, size 0-8 line 3241 [ 490.855519][T25790] binder_alloc: binder_alloc_mmap_handler: 25775 20001000-20004000 already mapped failed -16 [ 490.868891][T25789] binder: 25786:25789 transaction failed 29201/-22, size 0-7 line 3201 03:51:59 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000016a, 0x0) [ 490.914731][T25778] binder: BINDER_SET_CONTEXT_MGR already set [ 490.934381][T25778] binder: 25775:25778 ioctl 40046207 0 returned -16 03:51:59 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x6000000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:51:59 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x9, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 490.972282][T25790] binder_alloc: 25775: binder_alloc_buf, no vma [ 491.000634][T25794] binder_alloc: 25775: binder_alloc_buf, no vma [ 491.044415][ T22] binder: release 25775:25778 transaction 3395 out, still active [ 491.053123][T25790] binder: 25775:25790 transaction failed 29189/-3, size 24-8 line 3147 [ 491.066068][ T22] binder: unexpected work type, 4, not freed [ 491.079159][ T22] binder: undelivered TRANSACTION_COMPLETE 03:51:59 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001a4, 0x0) [ 491.088321][T25794] binder: 25775:25794 transaction failed 29189/-3, size 24-8 line 3147 [ 491.098167][ T22] binder: send failed reply for transaction 3395, target dead [ 491.104025][T25805] binder: 25800:25805 transaction failed 29189/-22, size 0-8 line 2994 [ 491.109654][T25794] binder: 25775:25794 ioctl c0306201 200002c0 returned -14 [ 491.124150][T25804] binder: 25803:25804 transaction failed 29189/-22, size 0-9 line 2994 03:52:00 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, 0x0, 0x0) getdents(r0, 0x0, 0x0) 03:52:00 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7a, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:52:00 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0xa, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:00 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x6800000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:00 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001a5, 0x0) 03:52:00 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000016b, 0x0) [ 491.420788][T25816] binder: 25815:25816 transaction failed 29189/-22, size 0-8 line 2994 [ 491.473684][T25820] binder: 25819:25820 transaction failed 29189/-22, size 0-10 line 2994 [ 491.493138][T25823] binder: 25817:25823 sending u0000000000000000 node 3409, cookie mismatch 0000000000000004 != 0000000000000000 03:52:00 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x6c00000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 491.545666][T25823] binder: 25817:25823 transaction failed 29201/-22, size 24-8 line 3257 [ 491.562336][T25823] binder: 25817:25823 ioctl c0306201 200002c0 returned -14 [ 491.574030][ T22] binder_release_work: 54 callbacks suppressed [ 491.574038][ T22] binder: undelivered TRANSACTION_ERROR: 29189 03:52:00 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0xb, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 491.629719][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 491.643419][T25830] binder_alloc: binder_alloc_mmap_handler: 25817 20001000-20004000 already mapped failed -16 [ 491.700911][T25823] binder: BINDER_SET_CONTEXT_MGR already set [ 491.729629][T25823] binder: 25817:25823 ioctl 40046207 0 returned -16 [ 491.775426][T25830] binder_alloc: 25817: binder_alloc_buf, no vma 03:52:00 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001a6, 0x0) [ 491.827894][ T22] binder: release 25817:25823 transaction 3408 out, still active [ 491.836907][T25833] binder_alloc: 25817: binder_alloc_buf, no vma [ 491.848878][ T22] binder: unexpected work type, 4, not freed [ 491.860630][T25833] binder: 25817:25833 ioctl c0306201 200002c0 returned -14 03:52:00 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x300, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 491.905417][ T22] binder: undelivered TRANSACTION_COMPLETE [ 491.911478][ T22] binder: undelivered TRANSACTION_ERROR: 29201 03:52:00 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000016c, 0x0) [ 491.961829][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 491.982337][T25847] binder: BINDER_SET_CONTEXT_MGR already set [ 491.997376][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 492.031648][T25847] binder: 25846:25847 ioctl 40046207 0 returned -16 [ 492.031847][T25849] binder_alloc: 25817: binder_alloc_buf, no vma [ 492.045154][ T22] binder: send failed reply for transaction 3408, target dead [ 492.062205][T25852] binder: 25846:25852 ioctl c0306201 200002c0 returned -14 03:52:00 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x7400000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 492.085690][T25852] binder_alloc: binder_alloc_mmap_handler: 25846 20001000-20004000 already mapped failed -16 [ 492.116743][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 492.149094][T25852] binder: 25846:25852 ioctl c0306201 200002c0 returned -14 [ 492.170132][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 492.196211][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 492.230070][ T22] binder: undelivered TRANSACTION_ERROR: 29189 [ 492.271867][ T22] binder: undelivered TRANSACTION_ERROR: 29189 03:52:01 executing program 3: r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = creat(&(0x7f00000001c0)='./file0\x00', 0x0) write$cgroup_type(r1, &(0x7f00000009c0)='threaded\x00', 0xced423) rename(&(0x7f0000000340)='./file0\x00', &(0x7f0000000300)='./file1\x00') getdents(r0, 0x0, 0x0) getdents(r0, 0x0, 0x0) 03:52:01 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0xc, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:01 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x500, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:52:01 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x7a00000000000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:01 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001a7, 0x0) 03:52:01 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000016d, 0x0) [ 492.598673][T25871] binder: 25869:25871 sending u0000000000000000 node 3425, cookie mismatch 0000000000000004 != 0000000000000000 03:52:01 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0xfdfdffff00000000, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:01 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0xd, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 492.731064][T25871] binder: 25869:25871 ioctl c0306201 200002c0 returned -14 03:52:01 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001a8, 0x0) [ 492.778362][T25883] binder: 25881:25883 got transaction with invalid offsets size, 13 [ 492.796041][T25888] binder_alloc: binder_alloc_mmap_handler: 25869 20001000-20004000 already mapped failed -16 03:52:01 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 492.863219][T25888] binder: 25869:25888 ioctl c0306201 200002c0 returned -14 03:52:01 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0xe, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 492.920198][ T12] binder: release 25869:25871 transaction 3424 out, still active [ 492.930562][ T12] binder: unexpected work type, 4, not freed [ 492.955935][ T12] binder: undelivered TRANSACTION_COMPLETE 03:52:01 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000016e, 0x0) [ 493.005145][ T12] binder: send failed reply for transaction 3424, target dead 03:52:02 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x7, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:02 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x600, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:52:02 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x10, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:02 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x100000000000016f, 0x0) 03:52:02 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001a9, 0x0) 03:52:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:02 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x11, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 493.657706][T25923] binder: 25919:25923 sending u0000000000000000 node 3438, cookie mismatch 0000000000000004 != 0000000000000000 [ 493.689406][T25923] binder: 25919:25923 ioctl c0306201 200002c0 returned -14 03:52:02 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001aa, 0x0) [ 493.767853][T25928] binder_alloc: binder_alloc_mmap_handler: 25919 20001000-20004000 already mapped failed -16 [ 493.811135][T25923] binder: BINDER_SET_CONTEXT_MGR already set 03:52:02 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x12, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 493.856158][T25923] binder: 25919:25923 ioctl 40046207 0 returned -16 03:52:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 493.962873][T25928] binder: 25919:25928 ioctl c0306201 200002c0 returned -14 [ 493.972213][ T22] binder: send failed reply for transaction 3437 to 25919:25923 [ 493.999806][ T22] binder: undelivered TRANSACTION_COMPLETE 03:52:02 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000170, 0x0) 03:52:02 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x68, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:02 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:02 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x700, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:52:02 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x2f, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:03 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:03 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x2fd8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 494.292000][T25961] binder: 25959:25961 sending u0000000000000000 node 3453, cookie mismatch 0000000000000004 != 0000000000000000 03:52:03 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6c00, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 494.372009][T25961] binder: 25959:25961 ioctl c0306201 200002c0 returned -14 [ 494.395660][T25967] binder: 25966:25967 got transaction with invalid offset (0, min 0 max 0) or object. [ 494.429952][T25971] binder_alloc: binder_alloc_mmap_handler: 25959 20001000-20004000 already mapped failed -16 03:52:03 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001ab, 0x0) 03:52:03 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000171, 0x0) [ 494.512248][T25961] binder: BINDER_SET_CONTEXT_MGR already set [ 494.518379][T25961] binder: 25959:25961 ioctl 40046207 0 returned -16 [ 494.545861][ T12] binder: send failed reply for transaction 3452 to 25959:25961 03:52:03 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x2fe0, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:03 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 494.570409][ T12] binder: undelivered TRANSACTION_COMPLETE 03:52:03 executing program 3: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000000f1, 0x0) 03:52:03 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0xa00, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:52:03 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:03 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x20000608, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 494.842913][T25996] binder: 25993:25996 sending u0000000000000000 node 3464, cookie mismatch 0000000000000004 != 0000000000000000 [ 494.881945][T25997] binder: 25994:25997 got transaction with invalid offset (0, min 0 max 0) or object. [ 494.902040][T25996] binder: 25993:25996 ioctl c0306201 200002c0 returned -14 03:52:03 executing program 3: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x10000000000000ea, 0x0) 03:52:03 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000172, 0x0) 03:52:03 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x2]}}}], 0x0, 0x0, 0x0}) [ 494.957041][T26003] binder_alloc: binder_alloc_mmap_handler: 25993 20001000-20004000 already mapped failed -16 [ 494.991398][T25996] binder: BINDER_SET_CONTEXT_MGR already set 03:52:03 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001ac, 0x0) 03:52:03 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 495.045569][T25996] binder: 25993:25996 ioctl 40046207 0 returned -16 [ 495.054756][T26003] binder_alloc_new_buf_locked: 13 callbacks suppressed [ 495.054766][T26003] binder_alloc: 25993: binder_alloc_buf, no vma 03:52:03 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 495.114835][ T12] binder: send failed reply for transaction 3463 to 25993:25996 [ 495.136781][T26016] binder_alloc: 25993: binder_alloc_buf, no vma [ 495.144788][ T12] binder: undelivered TRANSACTION_COMPLETE 03:52:04 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x2000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:52:04 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x3]}}}], 0x0, 0x0, 0x0}) 03:52:04 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 495.327162][T26026] binder: 26025:26026 got reply transaction with bad transaction stack, transaction 3473 has target 26025:0 [ 495.363425][T26030] binder: BINDER_SET_CONTEXT_MGR already set 03:52:04 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001ad, 0x0) [ 495.402090][T26026] binder: 26025:26026 ioctl c0306201 200002c0 returned -14 [ 495.409581][T26030] binder: 26027:26030 ioctl 40046207 0 returned -16 [ 495.417602][T26035] binder: 26027:26035 sending u0000000000000000 node 3480, cookie mismatch 0000000000000004 != 0000000000000000 [ 495.430578][T26031] binder: 26028:26031 got transaction with invalid offset (3, min 0 max 0) or object. [ 495.431221][T26035] binder: 26027:26035 ioctl c0306201 200002c0 returned -14 [ 495.444500][T26034] binder: 26033:26034 got transaction with invalid offset (0, min 0 max 0) or object. [ 495.483986][ T22] binder: release 26025:26026 transaction 3473 out, still active [ 495.492707][ T22] binder: unexpected work type, 4, not freed [ 495.499549][T26035] binder_alloc: binder_alloc_mmap_handler: 26027 20001000-20004000 already mapped failed -16 [ 495.516040][ T22] binder: undelivered TRANSACTION_COMPLETE 03:52:04 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x4]}}}], 0x0, 0x0, 0x0}) 03:52:04 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000173, 0x0) [ 495.555700][T26040] binder: BINDER_SET_CONTEXT_MGR already set [ 495.587390][T26035] binder: 26027:26035 ioctl c0306201 200002c0 returned -14 03:52:04 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x60, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 495.599489][ T12] binder: send failed reply for transaction 3473, target dead 03:52:04 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 495.633111][ T12] binder: send failed reply for transaction 3479 to 26027:26035 [ 495.645889][ T12] binder: undelivered transaction 3483, process died. 03:52:04 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001ae, 0x0) [ 495.678745][T26040] binder: 26027:26040 ioctl 40046207 0 returned -16 [ 495.691394][ T12] binder: undelivered TRANSACTION_COMPLETE [ 495.719011][ T12] binder: undelivered TRANSACTION_COMPLETE 03:52:04 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000174, 0x0) 03:52:04 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4800, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:52:04 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x5]}}}], 0x0, 0x0, 0x0}) 03:52:04 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x68, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 495.764513][T26054] binder: 26053:26054 got reply transaction with bad transaction stack, transaction 3490 has target 26053:0 [ 495.849614][T26064] binder: 26062:26064 got transaction with invalid offset (0, min 0 max 0) or object. [ 495.864791][T26064] binder_transaction: 50 callbacks suppressed [ 495.864808][T26064] binder: 26062:26064 transaction failed 29201/-22, size 0-8 line 3241 [ 495.884884][T26069] binder: BINDER_SET_CONTEXT_MGR already set [ 495.886280][T26054] binder: 26053:26054 transaction failed 29201/-71, size 24-8 line 2914 [ 495.903684][T26054] binder: 26053:26054 ioctl c0306201 200002c0 returned -14 [ 495.927766][ T22] binder: release 26053:26054 transaction 3490 out, still active [ 495.927779][T26067] binder: 26063:26067 got transaction with invalid offset (5, min 0 max 0) or object. 03:52:04 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001af, 0x0) 03:52:04 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6c, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 495.927829][T26067] binder: 26063:26067 transaction failed 29201/-22, size 0-8 line 3241 [ 495.960731][T26069] binder: 26066:26069 ioctl 40046207 0 returned -16 [ 495.962342][ T22] binder: unexpected work type, 4, not freed 03:52:04 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 495.999426][T26071] binder: 26066:26071 sending u0000000000000000 node 3497, cookie mismatch 0000000000000004 != 0000000000000000 [ 496.028785][ T22] binder: undelivered TRANSACTION_COMPLETE [ 496.067308][ T22] binder: send failed reply for transaction 3490, target dead [ 496.075454][T26071] binder: 26066:26071 transaction failed 29201/-22, size 24-8 line 3257 [ 496.090936][T26079] binder: 26076:26079 transaction failed 29189/-22, size 0-8 line 2994 [ 496.114262][ T22] binder: send failed reply for transaction 3496 to 26066:26071 [ 496.126746][T26071] binder: 26066:26071 ioctl c0306201 200002c0 returned -14 [ 496.128310][T26080] binder: 26078:26080 got reply transaction with bad transaction stack, transaction 3502 has target 26078:0 03:52:04 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x6]}}}], 0x0, 0x0, 0x0}) [ 496.162158][T26071] binder_alloc: binder_alloc_mmap_handler: 26066 20001000-20004000 already mapped failed -16 [ 496.182253][T26080] binder: 26078:26080 transaction failed 29201/-71, size 24-8 line 2914 03:52:05 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x74, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:05 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001b0, 0x0) [ 496.221417][T26069] binder: BINDER_SET_CONTEXT_MGR already set [ 496.229661][T26080] binder: 26078:26080 ioctl c0306201 200002c0 returned -14 [ 496.265272][T26069] binder: 26066:26069 ioctl 40046207 0 returned -16 [ 496.265532][T26088] binder: 26086:26088 got transaction with invalid offset (6, min 0 max 0) or object. [ 496.290830][T26090] binder: 26066:26090 sending u0000000000000000 node 3508, cookie mismatch 0000000000000004 != 0000000000000000 03:52:05 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000175, 0x0) [ 496.310696][T26091] binder: 26087:26091 got transaction with invalid offset (0, min 0 max 0) or object. [ 496.313176][T26088] binder: 26086:26088 transaction failed 29201/-22, size 0-8 line 3241 [ 496.340125][ T12] binder: release 26078:26080 transaction 3502 out, still active 03:52:05 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 496.368189][ T12] binder: unexpected work type, 4, not freed [ 496.379548][T26091] binder: 26087:26091 transaction failed 29201/-22, size 0-8 line 3241 [ 496.392025][T26090] binder: 26066:26090 transaction failed 29201/-22, size 24-8 line 3257 [ 496.405856][ T12] binder: undelivered TRANSACTION_COMPLETE 03:52:05 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x7]}}}], 0x0, 0x0, 0x0}) [ 496.414936][ T12] binder: undelivered TRANSACTION_COMPLETE [ 496.424425][T26090] binder: 26066:26090 ioctl c0306201 200002c0 returned -14 [ 496.447225][ T12] binder: send failed reply for transaction 3502, target dead [ 496.489105][T26103] binder: 26100:26103 transaction failed 29189/-22, size 0-8 line 2994 [ 496.492413][ T12] binder: send failed reply for transaction 3507 to 26066:26071 [ 496.506914][T26102] binder: 26101:26102 got reply transaction with no transaction stack 03:52:05 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x4c00, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:52:05 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001b1, 0x0) 03:52:05 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7a, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 496.534569][T26102] binder: 26101:26102 ioctl c0306201 200002c0 returned -14 03:52:05 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x8]}}}], 0x0, 0x0, 0x0}) [ 496.582707][ T12] binder_release_work: 55 callbacks suppressed [ 496.582716][ T12] binder: undelivered TRANSACTION_ERROR: 29201 03:52:05 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 496.653073][T26111] binder: BINDER_SET_CONTEXT_MGR already set 03:52:05 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001b2, 0x0) [ 496.716454][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 496.717255][T26120] binder_alloc: 26101: binder_alloc_buf, no vma [ 496.726386][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 496.731432][T26119] binder: 26118:26119 got reply transaction with no transaction stack [ 496.750720][T26111] binder: 26110:26111 ioctl 40046207 0 returned -16 03:52:05 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0xa]}}}], 0x0, 0x0, 0x0}) [ 496.772892][T26122] binder: 26110:26122 ioctl c0306201 200002c0 returned -14 [ 496.786332][T26119] binder: 26118:26119 ioctl c0306201 200002c0 returned -14 [ 496.797585][ T12] binder: undelivered TRANSACTION_COMPLETE 03:52:05 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x300, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 496.830631][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 496.862056][ T12] binder: undelivered TRANSACTION_ERROR: 29201 [ 496.867426][T26120] binder_alloc: binder_alloc_mmap_handler: 26110 20001000-20004000 already mapped failed -16 03:52:05 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:52:05 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000176, 0x0) [ 496.897709][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 496.911340][T26130] binder_alloc: 26118: binder_alloc_buf, no vma [ 496.929977][ T12] binder: undelivered transaction 3520, process died. [ 496.966641][T26122] binder: 26110:26122 ioctl c0306201 200002c0 returned -14 [ 496.973021][ T12] binder: undelivered TRANSACTION_ERROR: 29201 03:52:05 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x500, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 497.018723][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 497.032327][T26137] binder: BINDER_SET_CONTEXT_MGR already set 03:52:05 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x48]}}}], 0x0, 0x0, 0x0}) [ 497.073254][T26137] binder: 26135:26137 ioctl 40046207 0 returned -16 [ 497.073263][ T12] binder: undelivered TRANSACTION_ERROR: 29189 [ 497.073334][ T12] binder: undelivered TRANSACTION_ERROR: 29189 03:52:05 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6800, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 497.114339][T26137] binder: 26135:26137 got reply transaction with no transaction stack [ 497.135155][T26143] binder_alloc: 26110: binder_alloc_buf, no vma [ 497.175126][ T12] binder: undelivered TRANSACTION_COMPLETE [ 497.176672][T26137] binder: 26135:26137 ioctl c0306201 200002c0 returned -14 [ 497.189771][T26146] binder_alloc: 26110: binder_alloc_buf, no vma [ 497.209573][T26149] binder: 26148:26149 sending u0000000000000000 node 3532, cookie mismatch 0000000000000004 != 0000000000000000 03:52:06 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001b3, 0x0) 03:52:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x600, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:06 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x4c]}}}], 0x0, 0x0, 0x0}) [ 497.312777][T26149] binder: 26148:26149 ioctl c0306201 200002c0 returned -14 [ 497.342053][T26153] binder_alloc: binder_alloc_mmap_handler: 26148 20001000-20004000 already mapped failed -16 03:52:06 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000177, 0x0) 03:52:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 497.367564][T26149] binder: BINDER_SET_CONTEXT_MGR already set [ 497.429533][T26149] binder: 26148:26149 ioctl 40046207 0 returned -16 [ 497.429713][T26157] binder_alloc: 26148: binder_alloc_buf, no vma [ 497.452330][T26167] binder: BINDER_SET_CONTEXT_MGR already set [ 497.459081][T26161] binder_alloc: 26148: binder_alloc_buf, no vma [ 497.463041][T26167] binder: 26164:26167 ioctl 40046207 0 returned -16 [ 497.472785][T26166] binder_alloc: 26148: binder_alloc_buf, no vma 03:52:06 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x68]}}}], 0x0, 0x0, 0x0}) [ 497.476999][ T12] binder: release 26148:26149 transaction 3531 out, still active [ 497.497359][T26165] binder_alloc: 26148: binder_alloc_buf, no vma [ 497.505748][T26166] binder: 26148:26166 ioctl c0306201 200002c0 returned -14 [ 497.513628][T26167] binder: 26164:26167 ioctl c0306201 200002c0 returned -14 [ 497.516112][ T12] binder: unexpected work type, 4, not freed 03:52:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x700, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:06 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001b4, 0x0) 03:52:06 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x6c00, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 497.570466][ T12] binder: undelivered TRANSACTION_COMPLETE [ 497.605953][ T12] binder: send failed reply for transaction 3531, target dead 03:52:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 497.685712][T26182] binder: 26175:26182 sending u0000000000000000 node 3544, cookie mismatch 0000000000000004 != 0000000000000000 [ 497.726981][T26184] binder: BINDER_SET_CONTEXT_MGR already set [ 497.736397][T26184] binder: 26183:26184 ioctl 40046207 0 returned -16 [ 497.744512][T26184] binder: 26183:26184 got reply transaction with bad transaction stack, transaction 3547 has target 26175:0 [ 497.768882][T26182] binder: 26175:26182 ioctl c0306201 200002c0 returned -14 03:52:06 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x6c]}}}], 0x0, 0x0, 0x0}) 03:52:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xa00, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 497.783127][T26184] binder: 26183:26184 ioctl c0306201 200002c0 returned -14 [ 497.826789][T26188] binder_alloc: binder_alloc_mmap_handler: 26175 20001000-20004000 already mapped failed -16 [ 497.828918][ T22] binder: release 26183:26184 transaction 3547 out, still active 03:52:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 497.868959][T26182] binder: BINDER_SET_CONTEXT_MGR already set 03:52:06 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x74]}}}], 0x0, 0x0, 0x0}) 03:52:06 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000178, 0x0) [ 497.911496][ T22] binder: unexpected work type, 4, not freed [ 497.938723][ T22] binder: undelivered TRANSACTION_COMPLETE [ 497.990538][T26182] binder: 26175:26182 ioctl 40046207 0 returned -16 [ 498.002552][T26199] binder: 26175:26199 ioctl c0306201 200002c0 returned -14 03:52:06 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x7a]}}}], 0x0, 0x0, 0x0}) 03:52:06 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 498.031347][T26197] binder: 26195:26197 ioctl c0306201 200002c0 returned -14 03:52:06 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001b5, 0x0) 03:52:06 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 498.122743][ T22] binder: send failed reply for transaction 3543 to 26175:26182 [ 498.130475][ T22] binder: send failed reply for transaction 3547, target dead 03:52:07 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7400, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:52:07 executing program 2: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x300]}}}], 0x0, 0x0, 0x0}) 03:52:07 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4800, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 498.229413][T26215] binder: 26214:26215 ioctl c0306201 200002c0 returned -14 [ 498.264558][T26218] binder: 26217:26218 sending u0000000000000000 node 3562, cookie mismatch 0000000000000004 != 0000000000000000 03:52:07 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001b6, 0x0) 03:52:07 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 498.325261][T26223] ------------[ cut here ]------------ [ 498.330784][T26223] kernel BUG at drivers/android/binder_alloc.c:1141! [ 498.337090][T26218] binder: 26217:26218 ioctl c0306201 200002c0 returned -14 [ 498.382355][T26226] binder_alloc: binder_alloc_mmap_handler: 26217 20001000-20004000 already mapped failed -16 [ 498.420105][T26218] binder: BINDER_SET_CONTEXT_MGR already set [ 498.447576][T26218] binder: 26217:26218 ioctl 40046207 0 returned -16 [ 498.458518][T26234] binder: 26230:26234 ioctl c0306201 200002c0 returned -14 [ 498.482752][T26233] binder: 26217:26233 ioctl c0306201 200002c0 returned -14 [ 498.488392][T26223] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 498.496074][T26223] CPU: 1 PID: 26223 Comm: syz-executor.2 Not tainted 5.1.0-rc2+ #38 [ 498.501897][ T12] binder: release 26217:26218 transaction 3561 out, still active [ 498.504133][T26223] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 498.504157][T26223] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 498.504179][T26223] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 ff f7 23 fc 4c 89 e6 4c 89 ef e8 14 f9 23 fc 4d 39 e5 76 07 e8 ea f7 23 fc <0f> 0b e8 e3 f7 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 f1 03:52:07 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x7a00, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 498.520802][ T12] binder: unexpected work type, 4, not freed [ 498.521927][T26223] RSP: 0018:ffff888051697550 EFLAGS: 00010216 [ 498.521940][T26223] RAX: 0000000000040000 RBX: 0000000020001040 RCX: ffffc9000a235000 [ 498.521948][T26223] RDX: 00000000000002df RSI: ffffffff854c7996 RDI: 0000000000000006 [ 498.521956][T26223] RBP: ffff8880516975d0 R08: ffff888058b0a340 R09: 0000000000000028 [ 498.521964][T26223] R10: ffffed100a2d2f01 R11: ffff88805169780f R12: 0000000000000008 [ 498.521981][T26223] R13: 0000000000000028 R14: ffff88808b10f450 R15: 0000000000000000 [ 498.532535][ T12] binder: send failed reply for transaction 3561, target dead [ 498.548185][T26223] FS: 00007faba06fc700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 [ 498.548194][T26223] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 498.548200][T26223] CR2: 00007f460d7cb000 CR3: 00000000919fc000 CR4: 00000000001406e0 [ 498.548208][T26223] Call Trace: [ 498.548234][T26223] ? memcpy+0x46/0x50 [ 498.548253][T26223] binder_alloc_copy_from_buffer+0x37/0x42 [ 498.548276][T26223] binder_get_object+0xc3/0x200 [ 498.586951][ T3875] kobject: 'loop1' (00000000c6a579dd): kobject_uevent_env [ 498.592227][T26223] binder_transaction+0x2b4a/0x6690 [ 498.592254][T26223] ? binder_thread_read+0x3d50/0x3d50 [ 498.592269][T26223] ? __lock_acquire+0x548/0x3fb0 [ 498.592291][T26223] ? __might_fault+0x12b/0x1e0 [ 498.592317][T26223] ? lock_downgrade+0x880/0x880 [ 498.600430][ T3875] kobject: 'loop1' (00000000c6a579dd): fill_kobj_path: path = '/devices/virtual/block/loop1' [ 498.607777][T26223] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 498.607794][T26223] ? _copy_from_user+0xdd/0x150 [ 498.607820][T26223] binder_thread_write+0x87e/0x2820 [ 498.607844][T26223] ? binder_transaction+0x6690/0x6690 [ 498.626425][T26239] binder: 26237:26239 sending u0000000000000000 node 3572, cookie mismatch 0000000000000004 != 0000000000000000 [ 498.631367][T26223] ? __might_fault+0x12b/0x1e0 [ 498.631389][T26223] ? lock_downgrade+0x880/0x880 [ 498.631420][T26223] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 498.634917][T26239] binder: 26237:26239 ioctl c0306201 200002c0 returned -14 03:52:07 executing program 4: openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0) sched_setaffinity(0x0, 0x63, &(0x7f0000000000)=0x9) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') preadv(r0, &(0x7f0000000480), 0x1000000000000179, 0x0) 03:52:07 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4c00, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) 03:52:07 executing program 3: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40406301, {{0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) 03:52:07 executing program 0: sched_setaffinity(0x0, 0x63, &(0x7f0000000000)) perf_event_open(&(0x7f0000000040)={0x1, 0x70, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0) preadv(0xffffffffffffffff, &(0x7f0000001380)=[{&(0x7f0000000180)=""/148, 0x94}], 0x1, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000880)='mounts\x00') ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) preadv(r0, &(0x7f0000000480), 0x10000000000001b7, 0x0) [ 498.638712][T26223] ? _copy_from_user+0xdd/0x150 [ 498.638733][T26223] binder_ioctl+0x1033/0x183b [ 498.638754][T26223] ? binder_thread_write+0x2820/0x2820 [ 498.648400][T26240] binder_alloc: binder_alloc_mmap_handler: 26237 20001000-20004000 already mapped failed -16 [ 498.649385][T26223] ? tomoyo_path_number_perm+0x263/0x520 [ 498.649401][T26223] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 498.649428][T26223] ? binder_thread_write+0x2820/0x2820 [ 498.657024][T26239] binder: BINDER_SET_CONTEXT_MGR already set 03:52:07 executing program 1: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(0x0, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x3000)=nil, 0x3000, 0x0, 0x20011, r1, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) socket$inet_udp(0x2, 0x2, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000440)={0x44, 0x0, &(0x7f0000000300)=[@transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000200)=[@flat={0x73622a85}], &(0x7f0000000240)=[0x0]}}], 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x1000000, 0x0, 0x1, 0x0, 0x0, 0x18, 0x8, &(0x7f0000000480)=[@flat={0x73622a85, 0x0, 0x0, 0x4}], &(0x7f0000000600)=[0x0]}}}], 0xe4, 0x0, 0x0}) [ 498.661722][T26223] do_vfs_ioctl+0xd6e/0x1390 [ 498.661740][T26223] ? ioctl_preallocate+0x210/0x210 [ 498.661754][T26223] ? __fget+0x381/0x550 [ 498.661769][T26223] ? ksys_dup3+0x3e0/0x3e0 [ 498.661784][T26223] ? nsecs_to_jiffies+0x30/0x30 [ 498.661808][T26223] ? tomoyo_file_ioctl+0x23/0x30 [ 498.667640][T26239] binder: 26237:26239 ioctl 40046207 0 returned -16 [ 498.672113][T26223] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 498.672130][T26223] ? security_file_ioctl+0x93/0xc0 [ 498.672145][T26223] ksys_ioctl+0xab/0xd0 03:52:07 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6000, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 498.672168][T26223] __x64_sys_ioctl+0x73/0xb0 [ 498.678747][T26241] binder: 26237:26241 ioctl c0306201 200002c0 returned -14 [ 498.681791][T26223] do_syscall_64+0x103/0x610 [ 498.681818][T26223] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 498.681839][T26223] RIP: 0033:0x458209 [ 498.692264][ T12] binder: release 26237:26239 transaction 3571 out, still active [ 498.698224][T26223] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 498.698232][T26223] RSP: 002b:00007faba06fbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 498.698245][T26223] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458209 [ 498.698253][T26223] RDX: 00000000200002c0 RSI: 00000000c0306201 RDI: 0000000000000003 [ 498.698269][T26223] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 498.710507][ T12] binder: unexpected work type, 4, not freed [ 498.713717][T26223] R10: 0000000000000000 R11: 0000000000000246 R12: 00007faba06fc6d4 [ 498.713726][T26223] R13: 00000000004bf49a R14: 00000000004d0e80 R15: 00000000ffffffff [ 498.713740][T26223] Modules linked in: [ 498.745276][T26223] ---[ end trace fe1f241a00c936d1 ]--- [ 498.752658][ T3875] kobject: 'loop3' (00000000dc5829f0): kobject_uevent_env [ 498.786076][T26248] binder: BINDER_SET_CONTEXT_MGR already set [ 498.814330][ T3875] kobject: 'loop3' (00000000dc5829f0): fill_kobj_path: path = '/devices/virtual/block/loop3' [ 498.835262][T26223] RIP: 0010:binder_alloc_do_buffer_copy+0xd6/0x510 [ 498.862954][T26248] binder: 26245:26248 ioctl 40046207 0 returned -16 [ 498.874358][T26223] Code: 02 00 0f 85 20 04 00 00 4d 8b 64 24 58 49 29 dc e8 ff f7 23 fc 4c 89 e6 4c 89 ef e8 14 f9 23 fc 4d 39 e5 76 07 e8 ea f7 23 fc <0f> 0b e8 e3 f7 23 fc 4c 8b 75 d0 4d 29 ec 4c 89 e6 4c 89 f7 e8 f1 [ 498.886383][T26250] binder: BINDER_SET_CONTEXT_MGR already set [ 498.903736][T26223] RSP: 0018:ffff888051697550 EFLAGS: 00010216 [ 498.932934][ T3875] kobject: 'loop5' (000000000a7073a8): kobject_uevent_env 03:52:07 executing program 5: r0 = syz_open_dev$binder(&(0x7f0000d59ff3)='/dev/binder#\x00', 0xffffffffffffffff, 0x0) r1 = socket$inet_udp(0x2, 0x2, 0x0) ioctl$PERF_EVENT_IOC_ENABLE(r1, 0x8912, 0x400200) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000700)=[@transaction_sg={0x40486311, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6800, 0x0, 0x8, 0x0, &(0x7f0000000600)=[0x0]}}}], 0x0, 0x0, 0x0}) [ 498.936840][T26255] binder: 26245:26255 got reply transaction with no transaction stack [ 498.998704][ T3875] kobject: 'loop5' (000000000a7073a8): fill_kobj_path: path = '/devices/virtual/block/loop5' [ 499.002307][T26223] RAX: 0000000000040000 RBX: 0000000020001040 RCX: ffffc9000a235000 [ 499.027920][ T12] binder: send failed reply for transaction 3571, target dead [ 499.041300][T26255] binder: 26245:26255 ioctl c0306201 200002c0 returned -14 [ 499.050053][T26250] binder: 26249:26250 ioctl 40046207 0 returned -16 [ 499.056424][ T3875] kobject: 'loop4' (000000007e27871f): kobject_uevent_env [ 499.075262][T26223] RDX: 00000000000002df RSI: ffffffff854c7996 RDI: 0000000000000006 [ 499.082057][T26257] binder: 26249:26257 ioctl c0306201 200002c0 returned -14 [ 499.121335][ T3875] kobject: 'loop4' (000000007e27871f): fill_kobj_path: path = '/devices/virtual/block/loop4' [ 499.143369][ T3875] kobject: 'loop0' (0000000095e4d89b): kobject_uevent_env [ 499.168734][ T3875] kobject: 'loop0' (0000000095e4d89b): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 499.170649][T26223] RBP: ffff8880516975d0 R08: ffff888058b0a340 R09: 0000000000000028 [ 499.189776][ T3875] kobject: 'loop1' (00000000c6a579dd): kobject_uevent_env [ 499.197365][ T3875] kobject: 'loop1' (00000000c6a579dd): fill_kobj_path: path = '/devices/virtual/block/loop1' [ 499.224752][ T3875] kobject: 'loop5' (000000000a7073a8): kobject_uevent_env [ 499.234652][T26223] R10: ffffed100a2d2f01 R11: ffff88805169780f R12: 0000000000000008 [ 499.239582][ T3875] kobject: 'loop5' (000000000a7073a8): fill_kobj_path: path = '/devices/virtual/block/loop5' [ 499.244940][T26223] R13: 0000000000000028 R14: ffff88808b10f450 R15: 0000000000000000 [ 499.261492][T26223] FS: 00007faba06fc700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 [ 499.264871][T26250] binder_alloc: binder_alloc_mmap_handler: 26249 20001000-20004000 already mapped failed -16 [ 499.288442][ T3875] kobject: 'loop0' (0000000095e4d89b): kobject_uevent_env [ 499.295712][T26257] binder: 26249:26257 ioctl c0306201 200002c0 returned -14 [ 499.303540][T26223] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 499.310413][ T3875] kobject: 'loop0' (0000000095e4d89b): fill_kobj_path: path = '/devices/virtual/block/loop0' [ 499.322020][T26223] CR2: 000000000073c000 CR3: 00000000919fc000 CR4: 00000000001406f0 [ 499.329081][ T3875] kobject: 'loop1' (00000000c6a579dd): kobject_uevent_env [ 499.333889][T26223] Kernel panic - not syncing: Fatal exception [ 499.349606][T26223] Kernel Offset: disabled [ 499.353931][T26223] Rebooting in 86400 seconds..