Starting mcstransd: [ 14.002257] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.524717] random: sshd: uninitialized urandom read (32 bytes read, 43 bits of entropy available) [ 36.869105] random: sshd: uninitialized urandom read (32 bytes read, 43 bits of entropy available) [ 37.574336] random: sshd: uninitialized urandom read (32 bytes read, 122 bits of entropy available) [ 39.568394] random: nonblocking pool is initialized Warning: Permanently added 'ci-android-44-kasan-gce-1,10.128.0.39' (ECDSA) to the list of known hosts. 2017/12/08 23:39:55 fuzzer started 2017/12/08 23:39:55 dialing manager at 10.128.0.26:44059 2017/12/08 23:39:57 kcov=false, comps=false 2017/12/08 23:39:57 executing program 0: mmap(&(0x7f00004eb000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f00004ec000-0x1)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_SET_MAX_THREADS(r0, 0xc020660b, 0x5) 2017/12/08 23:39:57 executing program 3: mmap(&(0x7f0000000000/0xc000)=nil, 0xc000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f000000c000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000a000-0x30)={0x4, 0x0, &(0x7f000000a000-0x10)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000009000)=""}) poll(&(0x7f000000b000)=[{r0, 0xfffffffffffffffd, 0x0}, {r0, 0x0, 0x0}], 0x2, 0xffffffffffffff2e) mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f000000d000-0x8)=[{r0, 0x10, 0x0}], 0x1, 0x9) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000007000)={0x10, 0x0, &(0x7f0000006000-0x2c)=[@acquire={0x40046305, 0x0}, @acquire={0x400c630e, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000002000)={0x0, 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000002000)={0x30, 0x0, &(0x7f0000009000)=[@enter_looper={0x630c}, @release={0x40046306, 0x4}, @increfs={0x40046304, 0x3}, @release={0x40046306, 0x2}, @acquire_done={0x40106309, r1, 0x0}], 0x13, 0x0, &(0x7f0000004000)="2f7b51259682376c3c092ff4edd1807aa04031"}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000000c000)={0x14, 0x0, &(0x7f000000d000-0x14)=[@exit_looper={0x630d}, @clear_death={0x400c630f, 0x2, 0x1}], 0xc2, 0x0, &(0x7f000000d000-0xc2)="1499b9a13a5ac596e914b573fb7278391fcf8aac37c094f510f15af70ae2ac98b6917d722f296dec1a3532c852d7bef5159e307eece18cf072b4d4698e2572babe844b274f59d96e18a4bfe31a26f911c9d73ed02df86b45c668cb91689bd7f972a5998bfd14685d6663a47906142a08ee0724f5eff3021c8db46edbc3923de56687746470cda369affdfa5a6046ece831d26940d228f4420cf22b936e7617f5557f65d030fa89e47d084f1d6d216512636a57573fdcad28cd49cd67dda3f6f9d4f1"}) poll(&(0x7f000000c000)=[{r0, 0x1000, 0x0}, {r0, 0x2000, 0x0}, {r0, 0x100, 0x0}, {r0, 0x80, 0x0}, {r0, 0x19c, 0x0}, {r0, 0x20, 0x0}], 0x6, 0x9) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000009000-0x30)={0x8, 0x0, &(0x7f0000008000)=[@release={0x400c630f, 0x0}], 0x0, 0x0, &(0x7f0000001000-0xb3)=""}) 2017/12/08 23:39:57 executing program 7: mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000005000)="2f6465762f62696e6465722300", 0x0, 0x0) close(r0) r1 = syz_open_dev$binder(&(0x7f0000009000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x20011, r1, 0x0) mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r2 = syz_open_dev$binder(&(0x7f0000009000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) r3 = syz_open_dev$binder(&(0x7f0000009000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x20011, r3, 0x0) ioctl$BINDER_THREAD_EXIT(r2, 0x40046208, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r3, 0x40046207, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000007000)={0x14, 0x0, &(0x7f0000005000-0x14)=[@acquire_done={0x40486311, 0x0, 0x0}], 0x0, 0x0, &(0x7f0000008000)=""}) r4 = syz_open_dev$binder(&(0x7f0000006000)="2f6465762f62696e6465722300", 0x0, 0x800) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000004000)={0x24, 0x0, &(0x7f0000004000-0x24)=[@register_looper={0x630b}, @decrefs={0x40046307, 0x0}, @increfs_done={0x40106308, 0x80000000, 0x1}, @enter_looper={0x630c}], 0xdd, 0x0, &(0x7f0000002000)="b15eeabf520001c79d69724fca1a167f23f7655c5dc60e70ed3ec0f0bac34e9676848dc99cd8ada7463a411f988b4675ad9a4376b057c15f729b8bbe04c5af34e1ee298fd9d4758cbf2a6ee35182a1fa0845b547eadb1e6365281d2b8e5e8b70920dc629fd19eef433596feab3ab84b6652e74b24851465bf14f176b689f524c97f4b87b26cd0be6515390479287bc7abd2461f95c089fd4578acd6707ffdea15e1c75dadfa65d45db9333f46649fe35f6b971e98c265fcdeaa4fc6b20c4b32039c24e78d6606b604688a0aebc0c51715b1b4deaf26a3817e0887163b6"}) close(r4) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f0000008000-0x38)=[{r3, 0x208, 0x0}, {r4, 0x1, 0x0}, {r3, 0x40, 0x0}, {r3, 0x8004, 0x0}, {r4, 0x40, 0x0}, {r4, 0x2040, 0x0}, {r4, 0x1, 0x0}], 0x7, 0x0) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f000000a000)={0x50, 0x0, &(0x7f0000004000-0xd4)=[@free_buffer={0x40086303, 0x20400000000}, @transaction={0x40406300, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f000000e000-0x1)=[], &(0x7f000000d000)=[]}}], 0x0, 0x0, &(0x7f0000004000-0x4f)=""}) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) syz_open_dev$binder(&(0x7f0000003000)="2f6465762f62696e6465722300", 0x0, 0x7fe) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000008000)={0x0, 0x0, 0x0, 0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000001000)={0x0, 0x0, 0x0, 0x0}) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000008000)={0x0, 0x0, 0x0, 0x0}) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000008000)={r5, 0x0, 0x0, 0x0}) 2017/12/08 23:39:57 executing program 1: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x800) r0 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) r1 = syz_open_dev$binder(&(0x7f000028c000-0xd)="2f6465762f62696e6465722300", 0x0, 0x803) r2 = syz_open_dev$binder(&(0x7f0000001000-0x3)="2f6465762f62696e6465722300", 0x0, 0x40a00) mmap(&(0x7f00004e1000/0x4000)=nil, 0x4000, 0x8, 0x11, r2, 0x0) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0x1) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_THREAD_EXIT(r1, 0x40046208, 0x0) close(r2) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) syz_open_dev$binder(&(0x7f00004e2000)="2f6465762f62696e6465722300", 0x0, 0x800) syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) syz_open_dev$binder(&(0x7f000028c000-0xd)="2f6465762f62696e6465722300", 0x0, 0x803) r3 = syz_open_dev$binder(&(0x7f0000001000-0x3)="2f6465762f62696e6465722300", 0x0, 0xa00) ioctl$BINDER_SET_MAX_THREADS(r3, 0x40046205, 0x2) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r4 = syz_open_dev$binder(&(0x7f0000004000-0xd)="2f6465762f62696e6465722300", 0x0, 0x803) mmap(&(0x7f000057a000/0x4000)=nil, 0x4000, 0x2000004, 0x50, 0xffffffffffffffff, 0x0) ioctl$BINDER_THREAD_EXIT(r4, 0x40046208, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x4eb000)=nil, 0x4eb000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f00004eb000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f00004ec000-0x1)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_SET_MAX_THREADS(r5, 0xc0189436, 0x80007d) mmap(&(0x7f00004ec000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f000057d000-0x30)={0x8, 0x0, &(0x7f000057d000)=[@increfs={0x40046304, 0x3}], 0xf7, 0x0, &(0x7f0000002000-0xf7)="bb5827b7cc7fd2c8b880838b49dd6bc3ab1f3a2fb92227a4b3bbc423032ea5617d49d6f610037cff2d4e5da6a4c4dfc6c76427885eabc229349aa759489c2739573ae1d2e25fa38921a2ba2ce3646982ff097fe5b86ae8a46037d9a8d5897304faf4cb411495d3a37f583327a24f1402b713e49470ae82c15c14e1e50d2bfa6035f3b06ff2c68020797104ba59e67b3022de6b303d91b9ba7feb581b021184b26e74c9beb92d21fb2d9e836ccfa68e30b015e9af1512426b7e2022d347f9174eb03d43a77c81cec8e46cbc7eda157f7c1c8348402e7170012be340c6928ebea25edfa2f95898c1671bf73bafe857d313f5ecbf8fd14009"}) mmap(&(0x7f00004ed000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r5, 0xc018620b, &(0x7f00004ed000)={0x0, 0x0, 0x0, 0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000005000-0x18)={r6, 0x0, 0x0, 0x0}) ioctl$BINDER_SET_MAX_THREADS(r4, 0x40046205, 0x1ff) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) 2017/12/08 23:39:57 executing program 4: mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000005000)="2f6465762f62696e6465722300", 0x0, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f0000009000-0x18)=[], 0x0, 0xfffffffffffffff9) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000009000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000009000)={0x0, 0x0, 0x0, 0x0}) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000009000)={0x14, 0x0, &(0x7f0000006000-0x14)=[@acquire={0x40046305, 0x1}, @free_buffer={0x40086303, r2}], 0xd7, 0x0, &(0x7f0000005000-0xd7)="10d8ea6248002a6cbf3b6da41bb9eab4fb0d0bf2b2264236b6135c0a6f113b89f1e5ece30c0aff75d9822e362dd31e88fc4d5c5fcc3bde6210f4c5d18e01e6ec150b94ed3be3d3cce57bcd333642aad639e295d2ca483e965baed8d82170a7718bc8224d0cc7b0be911471796289340ede117cabb0bf7ed52ee9a213a39c4c4450ca352d2758b60c44ab0cdf01ae81ccf14d69d8e0cbd168d98c8961436dd11d4e9c8ab6c0fd7598c7b1bf214932dde74764cf7107d2e6499fa67a61ba08eb44ac382256a34845412f5e3f016c3291d147bbb1a1f4746a"}) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x20011, r1, 0x0) syz_open_dev$binder(&(0x7f0000004000)="2f6465762f62696e6465722300", 0x0, 0x800) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_SET_MAX_THREADS(r1, 0x40046205, 0x4) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000000a000-0x30)={0x4, 0x0, &(0x7f000000a000-0x10)=[@register_looper={0x630b}], 0x1000, 0x0, &(0x7f000000a000)="d8fc1dd16de371f1d99e3b4d488546c2bbb067efde9e55e9d1048602c19fe0b0078ade697201170fdbcc34816df860d3f87023a9d8567fa3297aac9d65b25106fc55ed85da8cb6f35c848cd2bf86eec98b36eaf463517da34d9d2e9dc0550d257fef0e1d0170a957c2efa452a5100020496307afd61838d683e0113f2425045cda5f96a9becc66cbad67be7d03c9056d769e36c7317a558858a38cf45789061479ded11c95b3266c6da047d4f07469daff8ad558b2a434ece5d27a0b73fafc842aed8018d99ebc3d8357e8aafc818ce06ec937082c9e1f360a4f907142a22dab11eaef8dc8251a1b8070c75344004a685a00130b5842b7bc7bf9e7401ce89e04718d9b6e10a97b00808c1a826aa10f757e806ac6e58ae892b252f767e47eb9120486fbbaea0a3775540cb007ee9f7eabbb519aeb81deab86e919d1a9759c4e770f66c5d43e5eca92e5e0509aceed732c86e4050478c8217d18974022ba257f29dc677f3c520e3c3acbbd4f5566e67fae7da873c788c76751437977df15040b8a99c945f69212f50e23eb26acab77bcc9d22ddfb2b43ef96328810b5421e150a1d6036a6c1c3f33a75953bdcc1bd2b2e511262c9fc51f9519ef9944c0653065009567d1650e2c6015d23f932a30eeb2d6451a0a9eec58dfba543aa85604f54130ae34edd061079d980dba76116f73b252cded082c18eee7da0268d7f0e3180979c5e573a6d7d04e1f095e3c10aae1bd1923ddaee0cd5dff7a0117e193417fea0efb16d4b9918be7d8f4a6be5bd1a76e34c0cd2180104dbf3f93b563715ad2dfbb8a59f3b4397d69350410fd9a4fec4cb0144c230bfcc8826dfbde38510a5cde4b29a4b673e8eabafa1c54e589a800e83bd944565edba8f80d3f52c010f4479787385b12e5c8a0d6431e77fae5d876d804fabc721d4d11b51e88d0898b5efd7db91fc0b2b93e6b3156e8b554cadb0fabdbd7c1f8cebd9ae2814488f07d2229f831d520442e0f6f76580893ece9d06551af649c16a87d4602e4f5e37fb84f344a8c35dbc4c86b52238d2112b8ab1f0963b8cee4fb1e4bb790f63c9aaecd9b76872c319f0a9de03e5a557a4a3cc7654df309039a3d264b0bbd34f2836ab00ba666e807a4f5887f899b82d1e9c1dd14cd6058d8321f0157b0c2f128851801fefe527f1faf5beaa62a6940af5a09a771a43b3abc9e654bf6f039e52feb501a83eef1be3dafba33b577c902fa1560a2f219d25dcc936a9bfed17c6c4c13bbca076213ecc1d4fe4069131d4d19ef59aeb072f252d8d24694c37426bf5cef20708126ede86bc091b17b17a49bffd86a5779d12a039e25c52b825fe94aee29d80ef05a38884357fd4bddf9d5ad3e93dd5764a2d775da48e7ccf577c1bad2807301eedcefea78a993a8ba735425d01c902a2f0cfe1dba148e790664b64c0e2d66da8d70ab39bc3950185d7f5eea4af967caa04d5b99525d3fd0bc765749efbf0aa2f7ca4d8970d5ff4b52ab21907385ad9a9ebd7cab031142e1e05f44efbd7a3fc6d355fe0e8dc5038009f549d0ac9e968874b151206c27dc73d88e056ca8864becc07b1d001f2f443c1c451043446cfcfbfb4107159beb908791b4f2ca1adba8a222dc28cd73a14cfc27e5aa71130b6f8d717596d3bae3550e8e2852b0027c60b3808f2e7daccb877f112daa2bd05a8a705cced602348ecb8d79fe859f7a382a75b4581d53a75498ad163c5a069ed3b2800fd89612cd9ab5d9f3d50614fffea4d29efb290fd1ed2db06ccbbadf32cd654b78c6e1eaa7eac6e0ba7092ddf55aa7ef28acc51ddd6dcecde438bb9e0162f841e9394b83fbb4080eb24000a3723b7789f3997e30b9978b4f3f33cf60dddca9db074979b226867d7d9254901674f23dfdcfe94ab187c7daae3404ec660175265fd0360dcdf289e44e379aec856a5b6c31fefcdd82bf77c5bcb132e37fb7e44db139b384219b5d558f48d97a03c6ae1d07a162290eba91730f112c37c4b3dcb9bc708235010093a2a4ade9d7d2f62b0c6e8bc4f5b58315cdfb39f869020b0c23d257bbcaea1b11177d704b12d91721740d5e4e8d13b2eec2810543017fb5dada1d8e86b6eae612f0967f92a9a61a5a9dbae222c457e7cbdb1eec1022200458ad5445914d01e21781f124938b17cf523de77165ae4dab389b42f85e0c91b660b221c053b06342a299502cce82a9c7d971e89c22c28fdaf800e50788ed3e364f93db2ccb0f5979a06381c600eea1e150de97b8f734f15bb92f37f0e77a6133041d6d09cd0705c61540e113ea51fb93684fb3cf7b70ca0643a141cd9684367fd1260d7e5a9530e0ff478232097cd33ec286457b873cf4f69ba8a73b696aee897449bbc51e0d2c20fd72546e551cf43ef3a28d126e90c2c70313ac9af6b983708db3811fdce462dd5f88a5893f65118857f8e44d75bce91a604d33c3808e5646131c704e666428ff42765435f70e1b5b5d7dfcf9b7542a8b330e187b2904bcb18ae70e3079f67e3a3dda69473ec1259d640c2de4730ffacd6997921fcebe5b7159c39ab64867e2dc77c615417efe86cae0d5667adea658b8db50af8d87d5217c795a80c032358f2990d2f3ba0e9ced3ddb2232d655dae046a650d04c80e0206f469c565e9ae2dbdc229ae9a882c470bbdbf3461aceebe47394e32519ce88525d8baa39ed1bff6b7f0e515481cd39f772f65b19a6fd8b4ec76c4e87b6016a5aafe89e8e8ff539627b74183bfccc80dee0c67118a510d095f4faaba7595bbc1d69645373c3203b834cab514b46867c24deddbeb27dfd5fa4d9a31c3ad86dbe1cf6d6083197d29657466fef960d3d845505631bbed278751eb9725287816cbbc2f8151aed7f2fb854bd2ed8bb0152fbfbe8bef872d2252f7a9408381462b040cd31c13764e9ae5e2b0be5e707dd32a8d67de66722e9435c19d19ff8cc5942feb360a4fd64ed30c88c6aa971cf42362def7b19343da3858a1c5b04afbe04dd2fa046ea2f67c32457bdf8c7987563d897b073ad2d0ebb0ce88d1478649248b4147ad06dfcb499ca322e870ce510f39c77502ccf73465cafaad9647ff459dc6f0c704605d287e5b65604ef2bed1488a4a34bab8d7f5786c3e7941cabab0922762db3e3fe347be5ac1596ab34dbbe91aa564f86b91823ef34ea42c7eded1ee1cbbdfbf504eb3d0c132e3fa320254e445441fdde7d1c84b9d4c78cf3ef172bff772b0dc94e1fe1dce0a5951b2cc7c0dd9d60fab69aa22d5b0ff27f58d0da72b2bbd66c889c40174fb7870cda1cadc253c7c2c92529a585d9a698788b5918aa886c88eeea9a57b6894d6c5b5c47f32ec4675e5911dea1f71c425a54c079c1edf846f2df79622864b69904c55a366df6fdc602cc05521814dad21e25278f5ab7432234090a3747e45623efc404db8da511473ade5aa6d476933f22eb09d8bc7297c9bdf4c9864f3479913ed36a3672ae67795d494b6937a9ddc0969dab40fc3a9569c5139247e4ddf1689fc3b7b695538ce6e6e88ed7454e49d191882b8e59f58c1afcb4da30f2053fee9f695118426fec1bc22ff2511e913a9762f6abf1a8dc50aeaef1e57d0cab79f23742000b2a13f77f550cd43b67c4f1ad759990c6d3201b99bbca5e090e664d97933e2ba91b21f92edfb449464ebd15af5b60aff656853012e3b89f2d5b3c576ffddfe87bef26e70cc18e520558292efe6b26ceaecf759b7f29566f2bcb2026d49617829835c240f442da9e72d5fb89e51498cd934acfa73d93348d3db702c339fd2a0a0e9638e9ebf9b1f071593028b23dc063fca7e7e80ffb9b83580bc1a75bcc8d947ba7fea8c4b8380dfec4f2ba03ae9ad819f5768c9619a3347bd0facd347d8e6543b560122d1939c0c0559fead9f5b33b1b49de08a160b7568b8bde187cff1995119e4d91036a29834e764fb4eac704e845711edef88b0934c4d90347919c522199063081f4fa5a7e65d4926e608753eeac154d8a2533390b08b64c71074321ce6b8565ca72e94184772dfd9a38da5a2c18c8fdecb62ad5b934845bd143efff81d5449ada710fc235bcb115111efcf1cf00a6ee9d13198bdc71e7350ad4938753956ead12fc7adff1125927301954eee85d0be77e1660ca76de8a25b311f2eeb47b559e976a07b85e33c290a85cb1898323b91fa472dae34b4728e27e940e9908572b6b4e47690c79254f270302b08d075568a0459ba4329b36627a8cbec908d04510f23c8e621ff64d90abcdec5aa41dbffbf8824637237008a4abc3d99ef98ec9c15a254280bb5d2a021f1e3b6708f1518435164ff734b0d283f0e0f3be323b5af4d9983c41d7726c6db6c3de2e47921ed39c9946078ca16343c6fa0d243e0a8300a233700dc1105056001e03906faf2861117fc726c471777c6deb39a12b736e87b419aee51c27d7c6bef233399bf029b195498962f54041672b084861fdfdfa149e6ef31fedc74336d8e2806d234e26b68a46cec6d8e90078a6bec3578098047f04165ecbaa11c59c9fd50e71a2e40b0086b17a22a7e6ba6f1affa63b9a047249a12b66012de9a47157e0e9badc47d7ccc6eb789ed838444576fc9a1932253c18a994877642a57132ec60a056979b1b15b72fd0c2f05cad4f53e4cb1764b3b4f7e5e47cf72795c939cc5e009901f636b1a96921dd031368eca97bebc9fb83994f2dfacf88053274c43df48e8e964b30d18070b1e0765242673beb416c948b477ee5c9b37fc84cf6022d9ff0c1605a536108439428644c9c2f6f7d1d1c25804d75f315e9f0a913e8c63158b33e8a71e48d66aca5b81ae000db0e508e855b34f75a328943e3e15b14d4d68c909b4faa12479ec3a12c2af57e90a8e026a13c8fd38c80fc30104b5017fd12df991e849861026bba403484df95206de3c40df37829a6dbf7c13d586398cf8038fc970b9aab61e7b445f2dd9fd0d97b2b74710d72b684dfc2655890ea916c768f51890290302496c0f551ed212f97e5fd538e0b12f1baad22378921231e3ef7b095549a886cd49c58bf5f436ebdacb7616c99a15922a2fff1d22d57286390f0ab2b78d050ec3995c89e02233c94ef51fbbd975edc5b220e0ed2d1d7c3e2ed342845e68a538640012b01d6efd0f1a2c5063ee9502a1bad874bc350858e4fbb4eabe4250d7605838c420d1da17b96d9a62416e579e565be25a2ee7c2a864eb69fec7fd618790793f37991d085449edacee3b0cea5d3aab47a0fd1623c7b4c7eaeab70955064f1e50b4822f481c2cc85e94c81c591f220151b1aa05d5b5ca55413a11d5ffe1c29bef0645ab67d9acac3d7c89af99405ae49cfdad332ba21d6a9bbfb9998bf342841cbae893e419063382a3ae7d122060f343bf58b9f63b2bdcf6cf46ff6731713776b2844de6fdb93383e9dec30590dd20dff0359ec48e7df148da11b49e07926e88d7890ab659b6ed98c8ac55e9e0d6995ce1c3ee1a7956f8050f15255337af21352ded1c32d851236d1003faa993f4b6c257d23286cb90abd01c6a040e086dbc517a828c763ee7bf8363974e0a9a7c6327d5cca134f1540d4cd35b2ad31a9b7e52ed78265cf6ced8aa1e05913615ff7ed5da7f8591c7b47cb7abea51129f935b3f80f3735afd8aabbfbccc795169edae4faf438cc076a88fddd9d8a0b36768086c2c0d2ba3d5b37b4a4a2277993f5775c4833473c11926ea04f6764eaa3a74c4d0d7106fe2838b27e89e29dd52892c0a93efbbed48e598e7517c4586b6983087bef7b29107ef8d22bb23002626e9cbeee6f2c659d4108aa14713a35f7ca"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000007000)={0x4, 0x0, &(0x7f0000006000-0x2c)=[@acquire_done={0x40486311, 0x0, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) 2017/12/08 23:39:57 executing program 5: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) ioctl$BINDER_SET_MAX_THREADS(r0, 0x40046205, 0x7fffff) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000000000)={0x34, 0x0, &(0x7f0000001000-0x34)=[@decrefs={0x40046307, 0x3}, @increfs={0x40046304, 0x0}, @increfs_done={0x40046307, 0x9, 0x8}, @register_looper={0x630b}, @exit_looper={0x630d}, @increfs={0x40046304, 0x3}], 0xf2, 0x0, &(0x7f0000002000-0xf2)="45ec949fd7616e7faa8527e4253c950e9050825adda220cf116f357bc635d475515e74f08239b4c1898397b69eed5d966af972ff898d71ec7f1ebdfd2bb347523650d90084387373f0fbf68adb49202b8e3c1131fc029f97ce58988b71a673887d21afc1eb6ce59a93eb43630de8af5528a184a3654fca61cd9ae3c0e477a2f6478ab97c220e7dcfdf026812278ab21c4a6193cd0f8165aae9b376c72d0ad19ccd49a7d5961c39d394c5e38951d095f294059b0d02d90853cb89489870519e6c532ca04da2d38a136185ff7e6ace6e72a5a15d35dc09c1e2cd6df183a17392aca4ac173352b49d82b707b4d9474e87c39cf6"}) mmap(&(0x7f0000c24000/0x13000)=nil, 0x13000, 0x0, 0x79072, 0xffffffffffffffff, 0x0) syz_open_dev$binder(&(0x7f0000c32000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) 2017/12/08 23:39:57 executing program 2: mmap(&(0x7f0000000000/0x4ec000)=nil, 0x4ec000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f00004ec000-0x1)="2f6465762f62696e6465722300", 0x0, 0x0) r1 = mmap$binder(&(0x7f0000018000/0x1000)=nil, 0x1000, 0x4, 0x810, r0, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000400000)={r1, 0x0, 0x0, 0x0}) ioctl$BINDER_SET_MAX_THREADS(r0, 0xc0c0583b, 0x20400006) 2017/12/08 23:39:57 executing program 6: mmap(&(0x7f0000000000/0x4ec000)=nil, 0x4ec000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f00004ec000-0x1)="2f6465762f62696e6465722300", 0x0, 0x0) r1 = mmap$binder(&(0x7f0000472000/0x2000)=nil, 0x2000, 0x1, 0x11, r0, 0x0) mmap(&(0x7f00004ec000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f00004ec000)={r1, 0x0, 0x0, 0x0}) mmap(&(0x7f00004ec000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r2 = syz_open_dev$binder(&(0x7f00004ed000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap(&(0x7f00004ed000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x4, 0x0, &(0x7f0000287000)=[@enter_looper={0x630c}], 0x16, 0x0, &(0x7f00004ee000-0x16)="9c725eb3a505c0a462eef0ca6aeb1d5789969d17907c"}) syz_open_dev$binder(&(0x7f0000242000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) ioctl$BINDER_SET_MAX_THREADS(r0, 0xc020660b, 0x20000004) [ 46.013836] IPVS: Creating netns size=2552 id=1 [ 46.134951] IPVS: Creating netns size=2552 id=2 [ 46.157924] binder: 3582:3583 ioctl c0189436 80007d returned -22 [ 46.166555] binder: 3582:3583 ioctl c0306201 2057cfd0 returned -14 [ 46.174730] binder: 3582:3583 ioctl 40046205 1ff returned -22 [ 46.189173] binder: 3582:3586 ioctl 40046205 1 returned -22 [ 46.201075] binder: 3582:3583 ioctl 40046205 2 returned -22 2017/12/08 23:39:58 executing program 0: mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000003000)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000003000)={0x20, 0x0, &(0x7f0000005000-0x20)=[@decrefs={0x40046307, 0x1}, @decrefs={0x40046307, 0x3}, @enter_looper={0x630c}, @enter_looper={0x630c}, @acquire_done={0x40046307, 0x0, 0x0}, @enter_looper={0x630c}], 0x8f, 0x0, &(0x7f0000004000)="2fd13ce360012f614ab22e8678092979973247353767a6d30192641df8cf53459d745fc4977ef1699fc9552cc414fea7e457e45a70e9b562b3b5d3d6117fb225ec8c146ffe8e36721254952a64938e8b9d3c142b795419e8357fbe46c3f00de319502dd0d9db38eb11117423dc97fd824e39f57cfbc3ab353acb259dc7fa5cbb93679bffb970eb90ff249d0533e252"}) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap$binder(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x1000001, 0x810, r0, 0x1) mmap$binder(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x2000003, 0x11, r0, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap$binder(&(0x7f0000006000/0x2000)=nil, 0x2000, 0x1, 0x1010, r0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000007000)={0x0, 0x0, &(0x7f000000a000-0x58)=[], 0x4, 0x0, &(0x7f0000001000-0x4)="00000080"}) [ 46.212639] IPVS: Creating netns size=2552 id=3 [ 46.219398] binder: 3593:3594 DecRefs 0 refcount change on invalid ref 1 ret -22 [ 46.227023] binder: 3582:3583 ioctl c0189436 80007d returned -22 [ 46.233230] binder: 3593:3594 DecRefs 0 refcount change on invalid ref 3 ret -22 [ 46.242708] binder: 3582:3586 ioctl c0306201 2057cfd0 returned -14 [ 46.249728] binder: 3593:3594 DecRefs 0 refcount change on invalid ref 0 ret -22 2017/12/08 23:39:58 executing program 1: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000816000)={0x0, 0x0, &(0x7f0000001000-0xc)=[], 0x0, 0x0, &(0x7f0000000000)=""}) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x2, &(0x7f0000001000)={0x4, 0x0, &(0x7f00004f0000)=[@exit_looper={0x630d}], 0x0, 0x0, &(0x7f00004f1000-0x2c)=""}) r1 = socket$inet6_sctp(0xa, 0x5, 0x84) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) open(&(0x7f0000001000)="2e2f66696c653000", 0x351380, 0x21) setsockopt$sock_timeval(r1, 0x1, 0x14, &(0x7f0000002000)={0x0, 0x0}, 0x10) 2017/12/08 23:39:58 executing program 1: mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000003000)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000003000)={0x20, 0x0, &(0x7f0000005000-0x20)=[@decrefs={0x40046307, 0x1}, @decrefs={0x40046307, 0x3}, @enter_looper={0x630c}, @enter_looper={0x630c}, @acquire_done={0x40046307, 0x0, 0x0}, @enter_looper={0x630c}], 0x8f, 0x0, &(0x7f0000004000)="2fd13ce360012f614ab22e8678092979973247353767a6d30192641df8cf53459d745fc4977ef1699fc9552cc414fea7e457e45a70e9b562b3b5d3d6117fb225ec8c146ffe8e36721254952a64938e8b9d3c142b795419e8357fbe46c3f00de319502dd0d9db38eb11117423dc97fd824e39f57cfbc3ab353acb259dc7fa5cbb93679bffb970eb90ff249d0533e252"}) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000007000)={0x1c, 0x0, &(0x7f0000009000-0xc)=[@acquire_done={0x40486311, 0x0, 0x0}, @increfs={0x40046304, 0x0}], 0x2, 0x0, &(0x7f0000009000-0x2)="c55b"}) 2017/12/08 23:39:58 executing program 1: mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000005000)="2f6465762f62696e6465722300", 0x0, 0x0) r1 = syz_open_dev$binder(&(0x7f0000009000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x20011, r1, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000b000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000b000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r2 = openat$rtc(0xffffffffffffff9c, &(0x7f0000008000)="2f6465762f72746300", 0x900, 0x0) ioctl$DRM_IOCTL_AGP_ACQUIRE(r2, 0x6430) r3 = accept$nfc_llcp(0xffffffffffffff9c, &(0x7f000000b000)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 0x0}, &(0x7f0000007000-0x4)=0x60) getsockopt$sock_cred(r3, 0x1, 0x11, &(0x7f000000a000)={0x0, 0x0, 0x0}, &(0x7f000000c000-0x4)=0xc) fcntl$setown(r1, 0x8, r4) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000004000-0x18)={0x0, 0x0, 0x0, 0x0}) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000009000-0x30)={0x68, 0x0, &(0x7f0000000000)=[@clear_death={0x400c630f, 0x0, 0x0}, @acquire_done={0x40106309, r5, 0x1}, @transaction={0x40406300, {0x2, 0x0, 0x1, 0x0, 0x10, 0x0, 0x0, 0x0, 0x48, &(0x7f0000006000)=[], &(0x7f0000001000-0x48)=[0x28, 0x38, 0x40, 0x38, 0x38, 0x78, 0x48, 0x38, 0x38]}}], 0x48, 0x0, &(0x7f000000c000)="d8fc1dd16de371f1d99e3b4d488546c2bbb067efde9e55e9d1048602c19fe0b0078ade697201170fdbcc34816df860d3f87023a9d8566aa3297aac9d65b25106fc55ed85da8cb6f3"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000007000)={0x4, 0x0, &(0x7f0000006000-0x2c)=[@acquire_done={0x40486311, 0x0, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) r6 = mmap$binder(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x0, 0x10, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000005000)={0x50, 0x0, &(0x7f0000004000-0x98)=[@dead_binder_done={0x40086310, 0x0}, @reply={0x40406301, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x30, 0x10, &(0x7f0000007000)=[@fd={0x66642a85, 0x0, 0xffffffffffffffff, 0x0, 0x0}, @flat={0x66646185, 0x0, r6, 0x0}], &(0x7f0000006000)=[0x18, 0x38]}}], 0x0, 0x0, &(0x7f000000b000-0x82)=""}) [ 46.258509] binder: 3582:3586 ioctl 40046205 1ff returned -22 [ 46.269763] IPVS: Creating netns size=2552 id=4 [ 46.296236] binder: 3593:3608 DecRefs 0 refcount change on invalid ref 1 ret -22 [ 46.298117] binder: 3605:3607 DecRefs 0 refcount change on invalid ref 3 ret -22 2017/12/08 23:39:58 executing program 5: mmap(&(0x7f0000000000/0xc000)=nil, 0xc000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x802) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000002000-0x18)={0x40, 0x0, 0x0, 0x0}) close(0xffffffffffffffff) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x2) mmap$binder(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x4, 0x810, r0, 0x0) r2 = syz_open_dev$binder(&(0x7f000018f000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap$binder(&(0x7f0000006000/0x2000)=nil, 0x2000, 0x0, 0x4010, r0, 0x0) ioperm(0x9f77, 0x10000000, 0x7) r3 = syz_open_dev$binder(&(0x7f0000585000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) ioctl$BINDER_GET_NODE_DEBUG_INFO(0xffffffffffffffff, 0xc018620b, &(0x7f0000001000-0x18)={0x0, 0x0, 0x0, 0x0}) r4 = syz_open_dev$binder(&(0x7f0000006000)="2f6465762f62696e6465722300", 0x0, 0x0) mmap$binder(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x4, 0x50, r0, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f000000a000-0x30)={0x4, 0x0, &(0x7f000000a000-0x10)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000009000)=""}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000002000)={0x10, 0x0, &(0x7f0000006000-0x10)=[@increfs={0x40046304, 0x3}, @increfs={0x40046304, 0x4}], 0x48, 0x0, &(0x7f0000006000)="e2884ab115f878feb37a809f59945745f6382fba24ecba6fafcdba3dbe1b7af3c4dec55f078083284fbec90a18750ff85ef59a6a9afe7a0e4d85a03e8a2b3100045ae8e440f5d3eb"}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000007000)={0x10, 0x0, &(0x7f0000006000-0x2c)=[@acquire={0x40046305, 0x0}, @acquire={0x400c630e, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) mmap(&(0x7f0000000000/0x7000)=nil, 0x7000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) r6 = syz_open_dev$binder(&(0x7f0000003000)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f0000003000-0x30)={0x8, 0x0, &(0x7f0000004000)=[@increfs={0x40406300, 0x0}], 0x0, 0x0, &(0x7f0000007000-0x80)=""}) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f0000008000-0x10)=[{r6, 0xa684, 0x0}, {r5, 0x420, 0x0}], 0x2, 0x100000000) ioctl$BINDER_THREAD_EXIT(r3, 0x40046208, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000009000-0x30)={0x8, 0x0, &(0x7f0000008000)=[@release={0x400c630f, 0x0}], 0x0, 0x0, &(0x7f0000001000-0xb3)=""}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000003000)={0x40, 0x0, &(0x7f0000006000-0x40)=[@enter_looper={0x630c}, @increfs_done={0x40046307, 0x390, 0x9}, @increfs={0x40046304, 0x4}, @increfs_done={0x40046307, 0xe2b4, 0x78edf2de}, @enter_looper={0x630c}, @enter_looper={0x630c}, @exit_looper={0x630d}], 0x92, 0x0, &(0x7f000000a000)="47bbb68c74912d603bbb804807e7fb12f453ab003fc446ac7e90b2022490593ad902b374c838a9d2bbb0fc6185665c46cba066159e940657f8724f1b15538b0b817795dfcb6d518f9d3e60ea2a80f9ec6488ef3ec6f98b88d851773d0ec917bc39bcc08fc5e779deb18bfd7dd6c08c63eb14e57a20ad3c0f0d6b6c6dd884428de7ad37729d3322a4555d638a4fedd7252677"}) ioctl$BINDER_SET_CONTEXT_MGR(r4, 0x40046207, 0x0) poll(&(0x7f0000001000-0x28)=[{r0, 0x1, 0x0}, {0xffffffffffffffff, 0x40, 0x0}, {r1, 0x7112, 0x0}, {r2, 0x4600, 0x0}, {r3, 0x8402, 0x0}], 0x5, 0x1f) ioctl$BINDER_THREAD_EXIT(0xffffffffffffffff, 0x40046208, 0x0) 2017/12/08 23:39:58 executing program 1: mmap(&(0x7f0000000000/0x7000)=nil, 0x7000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = syz_open_dev$binder(&(0x7f0000003000)="2f6465762f62696e6465722300", 0x0, 0x0) madvise(&(0x7f0000002000/0x4000)=nil, 0x4000, 0xe) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000003000-0x30)={0x8, 0x0, &(0x7f0000008000-0x8)=[@increfs={0x40406300, 0x0}], 0x0, 0x0, &(0x7f0000007000-0x80)=""}) 2017/12/08 23:39:58 executing program 1: mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000003000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) poll(&(0x7f0000001000)=[{r0, 0x102, 0x0}, {r0, 0x410, 0x0}, {r0, 0x6, 0x0}], 0x3, 0x3) mmap(&(0x7f0000000000/0x57e000)=nil, 0x57e000, 0x3, 0x32, 0xffffffffffffffff, 0x0) close(r0) r1 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) close(r0) close(r1) syz_open_dev$binder(&(0x7f00003b9000)="2f6465762f62696e6465722300", 0x0, 0x2000000002) r2 = syz_open_dev$binder(&(0x7f0000005000)="2f6465762f62696e6465722300", 0x0, 0x0) close(r1) mmap(&(0x7f0000514000/0x3000)=nil, 0x3000, 0x2000000, 0x12, r2, 0x0) ioctl$BINDER_SET_MAX_THREADS(0xffffffffffffffff, 0x40046205, 0x0) mmap(&(0x7f0000005000/0x4000)=nil, 0x4000, 0x0, 0x51, 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f0000b64000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f0000002000-0x30)=[{r3, 0x1, 0x0}, {r3, 0x102, 0x0}, {r3, 0x3000, 0x0}, {r3, 0x1000, 0x0}, {r3, 0x120, 0x0}, {r3, 0xa405, 0x0}], 0x6, 0x7fffffff) mmap(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x2, 0x2031, r3, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000004000)={0x8, 0x0, &(0x7f0000007000-0x8)=[@decrefs={0x40046307, 0x4}], 0xd4, 0x0, &(0x7f0000009000-0xd4)="878797515210e2a178724499cb2db6372c20e5190ee0ba748b0f39934baae11f78495edd5dbba1b859e2090901a511a2926a0be5009ff881f87e5faff8357aa86db5969bd9c3029bb84043ef999d65eba2f4584fa391fb31239eddac283e108a46bcc785273cbf0b3f2bbc20957a332fc55975dee33d4093d741c014ba3cdd86e8769d5d61bc00fb9e4460c63d8f45d930878d24131f7ae8248064a8c1d7fedb8dd0211b57865a28a6842175c88743cc88f22ee80b68372d527330d08b445bc6fe8bba9e6da4c7a381cb47ef8c6d292517041b31"}) mmap(&(0x7f0000001000/0x2000)=nil, 0x2000, 0x0, 0x11, r0, 0x0) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0x1) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000004000-0x30)={0x2c, 0x0, &(0x7f0000001000-0x2c)=[@increfs_done={0x40046307, 0xfffffffffffffffc, 0x4}, @increfs={0x40046304, 0x2}, @decrefs={0x40046307, 0x2}, @release={0x40046306, 0x4}], 0x42, 0x0, &(0x7f0000004000-0x42)="24a693769e3bbe1aabd50abb628c90801f78345867df3af93e76bc405ad85d245c7aae8b97e7ef378055f5fe8ad24bfa233edbbb456007747a45185d6c23965ecc61"}) r4 = openat$selinux_status(0xffffffffffffff9c, &(0x7f000025e000)="2f73656c696e75782f73746174757300", 0x0, 0x0) ioctl$PERF_EVENT_IOC_RESET(r4, 0x2403, 0x20) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x7c872, 0xffffffffffffffff, 0x1000) close(0xffffffffffffffff) syz_open_dev$binder(&(0x7f0000002000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) [ 46.298124] binder: 3605:3607 IncRefs 0 refcount change on invalid ref 0 ret -22 [ 46.298127] binder: 3605:3607 DecRefs 0 refcount change on invalid ref 9 ret -22 [ 46.298129] binder: 3605:3607 unknown command 0 [ 46.298133] binder: 3605:3607 ioctl c0306201 20000000 returned -22 [ 46.302868] binder: 3605:3609 DecRefs 0 refcount change on invalid ref 3 ret -22 [ 46.302874] binder: 3605:3609 IncRefs 0 refcount change on invalid ref 0 ret -22 [ 46.302877] binder: 3605:3609 DecRefs 0 refcount change on invalid ref 9 ret -22 2017/12/08 23:39:58 executing program 1: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) lookup_dcookie(0x10000, &(0x7f0000002000-0xd9)="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 0xd9) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000816000)={0x0, 0x0, &(0x7f0000001000-0xc)=[], 0x0, 0x0, &(0x7f0000000000)=""}) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0x2, &(0x7f0000001000)={0x4, 0x0, &(0x7f00004f0000)=[@exit_looper={0x630d}], 0x0, 0x0, &(0x7f00004f1000-0x2c)=""}) [ 46.302880] binder: 3605:3609 unknown command 0 [ 46.302883] binder: 3605:3609 ioctl c0306201 20000000 returned -22 [ 46.303641] binder: 3610:3611 DecRefs 0 refcount change on invalid ref 1 ret -22 [ 46.303645] binder: 3610:3611 DecRefs 0 refcount change on invalid ref 3 ret -22 [ 46.303649] binder: 3610:3611 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 46.303905] binder: 3610:3611 ioctl c0306201 20007000 returned -14 [ 46.304499] binder: 3610:3612 DecRefs 0 refcount change on invalid ref 1 ret -22 2017/12/08 23:39:58 executing program 1: mmap(&(0x7f0000000000/0xc000)=nil, 0xc000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x802) r1 = syz_open_dev$binder(&(0x7f0000001000)="2f6465762f62696e6465722300", 0x0, 0x3) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000002000-0x18)={0x40, 0x0, 0x0, 0x0}) close(r1) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r2 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x2) r3 = syz_open_dev$binder(&(0x7f000018f000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap$binder(&(0x7f0000006000/0x2000)=nil, 0x2000, 0x0, 0x4010, r0, 0x0) r4 = syz_open_dev$binder(&(0x7f0000585000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000001000-0x18)={0x0, 0x0, 0x0, 0x0}) r5 = syz_open_dev$binder(&(0x7f0000006000)="2f6465762f62696e6465722300", 0x0, 0x0) mmap$binder(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x4, 0x50, r0, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f000000a000-0x30)={0x4, 0x0, &(0x7f000000a000-0x10)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000009000)=""}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000002000)={0x10, 0x0, &(0x7f0000006000-0x10)=[@increfs={0x40046304, 0x3}, @increfs={0x40046304, 0x4}], 0x48, 0x0, &(0x7f0000006000)="e2884ab115f878feb37a809f59945745f6382fba24ecba6fafcdba3dbe1b7af3c4dec55f078083284fbec90a18750ff85ef59a6a9afe7a0e4d85a03e8a2b3100045ae8e440f5d3eb"}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000007000)={0x10, 0x0, &(0x7f0000006000-0x2c)=[@acquire={0x40046305, 0x0}, @acquire={0x400c630e, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x5, 0x10010, r2, 0x0) mmap(&(0x7f0000000000/0x7000)=nil, 0x7000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) r7 = syz_open_dev$binder(&(0x7f0000003000)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_WRITE_READ(r7, 0xc0306201, &(0x7f0000003000-0x30)={0x8, 0x0, &(0x7f0000004000)=[@increfs={0x40406300, 0x0}], 0x0, 0x0, &(0x7f0000007000-0x80)=""}) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f0000008000-0x10)=[{r7, 0xa684, 0x0}, {r6, 0x420, 0x0}], 0x2, 0x100000000) ioctl$BINDER_THREAD_EXIT(r4, 0x40046208, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000009000-0x30)={0x8, 0x0, &(0x7f0000008000)=[@release={0x400c630f, 0x0}], 0x0, 0x0, &(0x7f0000001000-0xb3)=""}) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000003000)={0x40, 0x0, &(0x7f0000006000-0x40)=[@enter_looper={0x630c}, @increfs_done={0x40046307, 0x390, 0x9}, @increfs={0x40046304, 0x4}, @increfs_done={0x40046307, 0xe2b4, 0x78edf2de}, @enter_looper={0x630c}, @enter_looper={0x630c}, @exit_looper={0x630d}], 0x92, 0x0, &(0x7f000000a000)="47bbb68c74912d603bbb804807e7fb12f453ab003fc446ac7e90b2022490593ad902b374c838a9d2bbb0fc6185665c46cba066159e940657f8724f1b15538b0b817795dfcb6d518f9d3e60ea2a80f9ec6488ef3ec6f98b88d851773d0ec917bc39bcc08fc5e779deb18bfd7dd6c08c63eb14e57a20ad3c0f0d6b6c6dd884428de7ad37729d3322a4555d638a4fedd7252677"}) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) poll(&(0x7f0000001000-0x28)=[{r0, 0x1, 0x0}, {r1, 0x40, 0x0}, {r2, 0x7112, 0x0}, {r3, 0x4600, 0x0}, {r4, 0x8402, 0x0}], 0x5, 0x1f) ioctl$BINDER_THREAD_EXIT(r1, 0x40046208, 0x0) [ 46.304503] binder: 3610:3612 DecRefs 0 refcount change on invalid ref 3 ret -22 [ 46.304507] binder: 3610:3612 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 46.313829] audit: type=1400 audit(1512776398.243:5): avc: denied { set_context_mgr } for pid=3614 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 [ 46.318633] binder: 3614:3615 ioctl c0306201 20008fd0 returned -14 2017/12/08 23:39:58 executing program 3: mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000005000)="2f6465762f62696e6465722300", 0x0, 0x0) close(r0) r1 = syz_open_dev$binder(&(0x7f0000009000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x20011, r1, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r2 = openat$selinux_member(0xffffffffffffff9c, &(0x7f0000009000-0x10)="2f73656c696e75782f6d656d62657200", 0x2, 0x0) setsockopt$inet_sctp_SCTP_SOCKOPT_CONNECTX_OLD(r2, 0x84, 0x6b, &(0x7f0000009000)=[@in={0x2, 0x2, @multicast2=0xe0000002, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, @in6={0xa, 0x3, 0xffff, @empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x7ff}, @in={0x2, 0x1, @broadcast=0xffffffff, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}], 0x3c) ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_POOL(r2, 0x4058534c, &(0x7f0000007000-0x58)={0xfffffffffffffffe, 0x5, 0x3f, 0x3, 0x80000000, 0x8, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000009000-0x30)={0x4, 0x0, &(0x7f0000004000-0x18)=[@register_looper={0x630b}], 0x48, 0x0, &(0x7f0000009000)="d8fc1dd16de371f1d99e3b4d488546c2bbb067efde9e55e9d1048602c19fe0b0078ade697201170fdbcc34816df860d3f87023a9d8567fa3297aac9d65b25106fc55ed85da8cb6f3"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000007000)={0x4, 0x0, &(0x7f0000006000-0x2c)=[@acquire_done={0x40486311, 0x0, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) mmap(&(0x7f000000b000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000004000)={0x4c, 0x0, &(0x7f000000c000-0x80)=[@reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20, 0x8, &(0x7f000000a000)=[@fda={0x66646185, 0x1, 0x5, 0x0}], &(0x7f000000b000)=[0x0]}, 0x0}}], 0x0, 0x0, &(0x7f000000b000)=""}) [ 46.318948] audit: type=1400 audit(1512776398.253:6): avc: denied { call } for pid=3614 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 [ 46.319213] binder: 3614:3615 BC_DEAD_BINDER_DONE 0000000000000000 not found [ 46.319216] binder: 3614:3615 got reply transaction with no transaction stack [ 46.319219] binder: 3614:3615 transaction failed 29201/-71, size 48-16 line 2924 [ 46.321020] binder: 3616:3618 IncRefs 0 refcount change on invalid ref 3 ret -22 [ 46.321024] binder: 3616:3618 IncRefs 0 refcount change on invalid ref 4 ret -22 [ 46.330627] binder: BINDER_SET_CONTEXT_MGR already set [ 46.330631] binder: 3614:3615 ioctl 40046207 0 returned -16 [ 46.332464] binder: 3614:3617 ioctl c0306201 20008fd0 returned -14 [ 46.333637] binder_alloc: 3614: binder_alloc_buf, no vma [ 46.333668] binder: 3614:3615 transaction failed 29189/-3, size 0-0 line 3131 [ 46.336111] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.336186] binder: undelivered TRANSACTION_ERROR: 29201 [ 46.336377] binder: send failed reply for transaction 2 to 3614:3615 [ 46.337711] binder: undelivered TRANSACTION_COMPLETE [ 46.337722] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.342011] binder: BINDER_SET_CONTEXT_MGR already set [ 46.342014] binder: 3620:3621 ioctl 40046207 0 returned -16 [ 46.342287] binder: 3620:3621 ioctl c0306201 20002fd0 returned -14 [ 46.342619] binder: BINDER_SET_CONTEXT_MGR already set [ 46.342621] binder: 3620:3622 ioctl 40046207 0 returned -16 [ 46.343754] binder: BINDER_SET_CONTEXT_MGR already set [ 46.343757] binder: 3620:3621 ioctl 40046207 0 returned -16 [ 46.350209] binder: BINDER_SET_CONTEXT_MGR already set [ 46.350212] binder: 3616:3623 ioctl 40046207 0 returned -16 [ 46.352545] binder_alloc: 3616: binder_alloc_buf, no vma [ 46.352599] binder: 3616:3623 transaction failed 29189/-3, size 0-0 line 3131 [ 46.358940] binder: 3624:3625 ioctl 40046205 1 returned -22 [ 46.359686] binder: 3616:3618 DecRefs 0 refcount change on invalid ref 912 ret -22 [ 46.359689] binder: 3616:3618 unknown command 0 [ 46.359692] binder: 3616:3618 ioctl c0306201 20003000 returned -22 [ 46.359723] binder: BINDER_SET_CONTEXT_MGR already set [ 46.359726] binder: 3616:3618 ioctl 40046207 0 returned -16 [ 46.375171] binder: 3624:3625 ioctl 40046205 1 returned -22 [ 46.377511] binder: 3624:3625 ioctl c0306201 20003fd0 returned -11 [ 46.392613] binder: BINDER_SET_CONTEXT_MGR already set [ 46.392616] binder: 3616:3623 ioctl 40046207 0 returned -16 [ 46.400406] binder: 3616:3618 IncRefs 0 refcount change on invalid ref 3 ret -22 [ 46.400410] binder: 3616:3618 IncRefs 0 refcount change on invalid ref 4 ret -22 [ 46.402856] binder: BINDER_SET_CONTEXT_MGR already set [ 46.402859] binder: 3616:3618 ioctl 40046207 0 returned -16 [ 46.403587] binder: 3626:3630 Release 1 refcount change on invalid ref 4 ret -22 [ 46.403591] binder: 3626:3630 IncRefs 0 refcount change on invalid ref 3 ret -22 [ 46.403594] binder: 3626:3630 Release 1 refcount change on invalid ref 2 ret -22 [ 46.403599] binder: 3626:3630 BC_ACQUIRE_DONE node 9 has no pending acquire request [ 46.404026] binder_alloc: 3616: binder_alloc_buf, no vma [ 46.404056] binder: 3616:3618 transaction failed 29189/-3, size 0-0 line 3131 [ 46.406458] binder: 3616:3623 DecRefs 0 refcount change on invalid ref 912 ret -22 [ 46.406460] binder: 3616:3623 unknown command 0 [ 46.406463] binder: 3616:3623 ioctl c0306201 20003000 returned -22 [ 46.407589] binder: BINDER_SET_CONTEXT_MGR already set [ 46.407591] binder: 3616:3618 ioctl 40046207 0 returned -16 [ 46.417339] binder: 3634:3635 IncRefs 0 refcount change on invalid ref 3 ret -22 [ 46.417342] binder: 3634:3635 IncRefs 0 refcount change on invalid ref 4 ret -22 [ 46.426320] binder: 3626:3636 unknown command 1784877669 [ 46.426324] binder: 3626:3636 ioctl c0306201 2000c000 returned -22 [ 46.431033] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.431107] binder: undelivered death notification, 0000000000000000 [ 46.431232] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.443944] binder: BINDER_SET_CONTEXT_MGR already set [ 46.443948] binder: 3634:3637 ioctl 40046207 0 returned -16 [ 46.446290] binder_alloc: 3634: binder_alloc_buf, no vma [ 46.446325] binder: 3634:3637 transaction failed 29189/-3, size 0-0 line 3131 [ 46.450616] binder: BINDER_SET_CONTEXT_MGR already set [ 46.450620] binder: 3626:3630 ioctl 40046207 0 returned -16 [ 46.452054] binder: 3634:3635 DecRefs 0 refcount change on invalid ref 912 ret -22 [ 46.452056] binder: 3634:3635 unknown command 0 [ 46.452059] binder: 3634:3635 ioctl c0306201 20003000 returned -22 [ 46.452091] binder: BINDER_SET_CONTEXT_MGR already set [ 46.452093] binder: 3634:3635 ioctl 40046207 0 returned -16 [ 46.455344] binder: 3626:3636 unknown command 1784877669 [ 46.455347] binder: 3626:3636 ioctl c0306201 2000c000 returned -22 [ 46.467995] binder: undelivered death notification, 0000000000000000 [ 46.468218] binder: undelivered death notification, 0000000000000000 [ 46.472977] binder: 3638:3639 ERROR: BC_REGISTER_LOOPER called without request [ 46.486891] binder: BINDER_SET_CONTEXT_MGR already set [ 46.486895] binder: 3634:3635 ioctl 40046207 0 returned -16 [ 46.491934] binder: 3634:3637 IncRefs 0 refcount change on invalid ref 3 ret -22 [ 46.491938] binder: 3634:3637 IncRefs 0 refcount change on invalid ref 4 ret -22 [ 46.495653] binder: BINDER_SET_CONTEXT_MGR already set [ 46.495657] binder: 3634:3635 ioctl 40046207 0 returned -16 [ 46.496910] binder_alloc: 3634: binder_alloc_buf, no vma [ 46.496939] binder: 3634:3635 transaction failed 29189/-3, size 0-0 line 3131 [ 46.497246] binder: 3638:3639 got transaction with invalid parent offset or type [ 46.497287] binder: 3638:3639 transaction failed 29201/-22, size 32-8 line 3254 [ 46.497291] binder: send failed reply for transaction 19 to 3638:3640 [ 46.497598] binder: undelivered TRANSACTION_ERROR: 29190 [ 46.497611] binder: undelivered TRANSACTION_COMPLETE [ 46.497621] binder: undelivered TRANSACTION_ERROR: 29201 [ 46.504724] binder: 3634:3637 DecRefs 0 refcount change on invalid ref 912 ret -22 [ 46.504727] binder: 3634:3637 unknown command 0 [ 46.504729] binder: 3634:3637 ioctl c0306201 20003000 returned -22 [ 46.505852] binder: BINDER_SET_CONTEXT_MGR already set [ 46.505855] binder: 3634:3635 ioctl 40046207 0 returned -16 [ 46.510181] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.510237] binder: undelivered death notification, 0000000000000000 [ 46.510405] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.513004] binder: 3638:3640 ERROR: BC_REGISTER_LOOPER called without request [ 46.514169] binder_alloc: 3638: binder_alloc_buf, no vma [ 46.514201] binder: 3638:3639 transaction failed 29189/-3, size 0-0 line 3131 [ 46.515524] binder: 3638:3640 got reply transaction with no transaction stack [ 46.515527] binder: 3638:3640 transaction failed 29201/-71, size 32-8 line 2924 [ 46.526882] binder: undelivered TRANSACTION_ERROR: 29189 [ 46.526897] binder: undelivered TRANSACTION_ERROR: 29201 [ 47.107112] binder: 3593:3608 DecRefs 0 refcount change on invalid ref 3 ret -22 [ 47.114769] binder: 3593:3608 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 47.125615] IPVS: Creating netns size=2552 id=5 [ 47.160088] IPVS: Creating netns size=2552 id=6 [ 47.194349] IPVS: Creating netns size=2552 id=7 [ 47.217046] IPVS: Creating netns size=2552 id=8 [ 47.248805] binder: 3651:3653 Acquire 1 refcount change on invalid ref 1 ret -22 [ 47.251678] binder: 3654:3655 ERROR: BC_REGISTER_LOOPER called without request [ 47.251683] binder: 3654:3655 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 47.251688] binder: 3654:3655 BC_INCREFS_DONE u0000000080000000 no match [ 47.251690] binder: 3654:3655 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 47.251872] binder: 3654:3655 BC_FREE_BUFFER u0000020400000000 no match [ 47.252474] binder: 3654:3655 ioctl c018620b 20001000 returned -14 2017/12/08 23:39:59 executing program 7: mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000005000)="2f6465762f62696e6465722300", 0x0, 0x0) r1 = syz_open_dev$binder(&(0x7f0000009000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x20011, r1, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000b000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) time(&(0x7f000000b000)=0x0) r2 = openat$selinux_create(0xffffffffffffff9c, &(0x7f000000b000-0x10)="2f73656c696e75782f63726561746500", 0x2, 0x0) mmap(&(0x7f000000b000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_GET_ASSOC_ID_LIST(r2, 0x84, 0x1d, &(0x7f000000c000-0xc)={0x2, [0x0, 0x0]}, &(0x7f0000006000-0x4)=0xc) getsockopt$inet_sctp_SCTP_RESET_STREAMS(0xffffffffffffff9c, 0x84, 0x77, &(0x7f0000001000)={0x0, 0x7}, &(0x7f0000008000)=0x8) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp_SCTP_ENABLE_STREAM_RESET(r2, 0x84, 0x76, &(0x7f000000b000-0x8)={r3, 0x9549}, &(0x7f0000009000-0x4)=0x8) poll(&(0x7f000000a000-0x30)=[{r1, 0x0, 0x0}], 0x1, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000003000-0x30)={0x28, 0x0, &(0x7f0000005000)=[@exit_looper={0x630d}, @acquire={0x40046305, 0x2}, @increfs={0x40046304, 0x3}, @increfs={0x40046304, 0x1}, @register_looper={0x630b}, @release={0x40046306, 0x0}], 0xf, 0x0, &(0x7f0000001000)="f1e4ee1be5ad2888f321c2380c1766"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) syz_open_dev$mice(&(0x7f000000c000-0x10)="2f6465762f696e7075742f6d69636500", 0x0, 0x40000) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f000000b000-0x30)=[{r1, 0x2000, 0x0}, {r1, 0xa95f220ab72dadd3, 0x0}, {r0, 0x4, 0x0}, {r0, 0x300, 0x0}, {r0, 0xb62a, 0x0}, {r1, 0x8104, 0x0}], 0x6, 0x10000) openat$selinux_avc_hash_stats(0xffffffffffffff9c, &(0x7f000000a000-0x18)="2f73656c696e75782f6176632f686173685f737461747300", 0x0, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000007000)={0x4, 0x0, &(0x7f0000006000-0x2c)=[@acquire_done={0x40486311, 0x0, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) 2017/12/08 23:39:59 executing program 5: mmap(&(0x7f0000000000/0x7000)=nil, 0x7000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r1 = getpgid(0x0) setpriority(0x0, r1, 0x3) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r2 = openat$selinux_member(0xffffffffffffff9c, &(0x7f0000009000-0x10)="2f73656c696e75782f6d656d62657200", 0x2, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$sock_FIOSETOWN(r2, 0x8901, &(0x7f0000008000)=r1) r3 = syz_open_dev$binder(&(0x7f0000004000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000003000-0x30)={0x8, 0x0, &(0x7f0000008000-0x8)=[@increfs={0x40406300, 0x0}], 0x0, 0x0, &(0x7f0000007000-0x80)=""}) [ 47.259284] binder: BINDER_SET_CONTEXT_MGR already set [ 47.259287] binder: 3654:3655 ioctl 40046207 0 returned -16 [ 47.260567] binder_alloc: 3654: binder_alloc_buf, no vma [ 47.260599] binder: 3654:3655 transaction failed 29189/-3, size 0-0 line 3131 [ 47.261800] binder: 3654:3655 ERROR: BC_REGISTER_LOOPER called without request [ 47.261805] binder: 3654:3655 DecRefs 0 refcount change on invalid ref 0 ret -22 [ 47.261810] binder: 3654:3655 BC_INCREFS_DONE u0000000080000000 no match [ 47.261812] binder: 3654:3655 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER [ 47.264473] binder: 3654:3656 BC_FREE_BUFFER u0000020400000000 no match [ 47.264510] binder_alloc: 3654: binder_alloc_buf, no vma [ 47.264540] binder: 3654:3656 transaction failed 29189/-3, size 0-0 line 3131 [ 47.268788] binder: 3654:3657 ioctl c018620b 20001000 returned -14 [ 47.286293] binder: undelivered TRANSACTION_ERROR: 29189 [ 47.286366] binder: undelivered TRANSACTION_ERROR: 29189 [ 47.286436] binder: release 3654:3655 transaction 27 out, still active [ 47.286439] binder: release 3654:3655 transaction 26 in, still active [ 47.286441] binder: undelivered TRANSACTION_COMPLETE [ 47.286473] binder: send failed reply for transaction 27, target dead [ 47.286484] binder: send failed reply for transaction 26 to 3654:3655 [ 47.293561] binder: undelivered TRANSACTION_COMPLETE [ 47.293573] binder: undelivered TRANSACTION_ERROR: 29189 [ 47.294044] binder: 3651:3661 ioctl 40046205 4 returned -22 [ 47.295565] binder: 3651:3661 ERROR: BC_REGISTER_LOOPER called without request [ 47.296420] binder: 3662:3663 Acquire 1 refcount change on invalid ref 2 ret -22 [ 47.296424] binder: 3662:3663 IncRefs 0 refcount change on invalid ref 3 ret -22 [ 47.296427] binder: 3662:3663 IncRefs 0 refcount change on invalid ref 1 ret -22 [ 47.296429] binder: 3662:3663 ERROR: BC_REGISTER_LOOPER called without request [ 47.296433] binder: 3662:3663 Release 1 refcount change on invalid ref 0 ret -22 [ 47.296439] binder: 3662:3663 ioctl c0306201 20002fd0 returned -14 [ 47.299599] binder_alloc: 3664: binder_alloc_buf, no vma [ 47.299629] binder: 3664:3665 transaction failed 29189/-3, size 0-0 line 3131 [ 47.299969] binder: BINDER_SET_CONTEXT_MGR already set [ 47.299972] binder: 3664:3666 ioctl 40046207 0 returned -16 [ 47.306040] binder: 3664:3666 unknown command 0 [ 47.306044] binder: 3664:3666 ioctl c0306201 20002fd0 returned -22 [ 47.318480] binder: undelivered TRANSACTION_ERROR: 29189 [ 47.318769] binder: undelivered transaction 35, put_user failed [ 47.318784] binder: 3651:3661 ioctl c0306201 20009fd0 returned -14 [ 47.320906] binder_alloc: 3662: binder_alloc_buf size 51539607552 failed, no address space [ 47.320909] binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192) [ 47.320939] binder: 3662:3668 transaction failed 29201/-28, size 51539607552-0 line 3131 [ 47.359381] binder: 3651:3667 Acquire 1 refcount change on invalid ref 1 ret -22 [ 47.359389] binder: 3651:3667 BC_FREE_BUFFER u0000000000000000 no match [ 47.364598] binder: 3662:3669 Acquire 1 refcount change on invalid ref 2 ret -22 [ 47.364601] binder: 3662:3669 IncRefs 0 refcount change on invalid ref 3 ret -22 [ 47.364604] binder: 3662:3669 IncRefs 0 refcount change on invalid ref 1 ret -22 [ 47.364607] binder: 3662:3669 ERROR: BC_REGISTER_LOOPER called without request [ 47.364610] binder: 3662:3669 Release 1 refcount change on invalid ref 0 ret -22 [ 47.364618] binder: 3662:3669 ioctl c0306201 20002fd0 returned -14 [ 47.365743] binder: BINDER_SET_CONTEXT_MGR already set [ 47.365746] binder: 3662:3668 ioctl 40046207 0 returned -16 [ 47.365849] binder: BINDER_SET_CONTEXT_MGR already set [ 47.365852] binder: 3651:3670 ioctl 40046207 0 returned -16 [ 47.365875] binder: 3651:3671 ioctl 40046205 4 returned -22 [ 47.367142] binder: 3651:3670 ERROR: BC_REGISTER_LOOPER called without request [ 47.367206] binder_alloc: 3651: binder_alloc_buf, no vma [ 47.367236] binder: 3651:3671 transaction failed 29189/-3, size 0-0 line 3131 [ 47.390419] binder_alloc: 3662: binder_alloc_buf, no vma [ 47.390450] binder: 3662:3672 transaction failed 29189/-3, size 51539607552-0 line 3131 [ 47.438212] binder: undelivered TRANSACTION_ERROR: 29189 [ 47.478239] binder: undelivered TRANSACTION_ERROR: 29201 2017/12/08 23:39:59 executing program 4: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) syz_open_dev$binder(&(0x7f000028c000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) r2 = syz_open_dev$binder(&(0x7f0000001000-0x3)="2f6465762f62696e6465722300", 0x0, 0x7fe) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000000)={0x7, 0x0, 0x0, 0x0}) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0x1) close(r2) r3 = syz_open_dev$binder(&(0x7f0000002000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) r4 = syz_open_dev$binder(&(0x7f0000003000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap(&(0x7f000057a000/0x4000)=nil, 0x4000, 0x2000004, 0x50, r4, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r3, 0xc018620b, &(0x7f0000005000-0x18)={0x7fc, 0x0, 0x0, 0x0}) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f000057b000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) close(r0) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f0000007000-0x48)=[{r3, 0x400, 0x0}, {r0, 0x4, 0x0}, {r5, 0x1000, 0x0}, {r4, 0x2000, 0x0}, {r5, 0x48, 0x0}, {r3, 0x88, 0x0}, {r5, 0x0, 0x0}, {r4, 0x2, 0x0}, {r0, 0x4008, 0x0}], 0x9, 0xeabb) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0xffff) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000057a000/0x4000)=nil, 0x4000, 0x2, 0x1113, r5, 0x0) mmap(&(0x7f0000005000/0x4000)=nil, 0x4000, 0x2, 0x51, r4, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000003000-0x30)={0x20, 0x0, &(0x7f000057e000-0x20)=[@release={0x40046306, 0x3}, @acquire={0x40046305, 0x1}, @release={0x40046306, 0x2}, @acquire={0x40046305, 0x4}], 0xa9, 0x0, &(0x7f0000002000)="c0928423a714b77fae8105c08a6987d1c07c99736eb7793cfa9964a7322d94160108d4200ff9897bcc76f229406324aacbaa3affd74c366abe6bbb14a2bb5f8bf0c478dae4a2ef245a71261a33b667a723f70f38fe8679a862c98c4da0716b7f761ffe21d136923c5d8f143177de568c412110d5a424188085e8ea06ababe2dc8f4a469ec348e365ce4811123f29ccf70854d3dd5a4cb086442c0a996893f8c6fe1f51b3c1f2fecd1f"}) poll(&(0x7f0000007000-0x20)=[{r4, 0x102, 0x0}, {r5, 0x8000, 0x0}, {r1, 0x0, 0x0}, {r5, 0x0, 0x0}], 0x4, 0x7fff) 2017/12/08 23:39:59 executing program 1: mmap(&(0x7f0000000000/0xc000)=nil, 0xc000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x802) r1 = syz_open_dev$binder(&(0x7f0000001000)="2f6465762f62696e6465722300", 0x0, 0x3) ioctl$BINDER_GET_NODE_DEBUG_INFO(r0, 0xc018620b, &(0x7f0000002000-0x18)={0x40, 0x0, 0x0, 0x0}) close(r1) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) r2 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x2) r3 = syz_open_dev$binder(&(0x7f000018f000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap$binder(&(0x7f0000006000/0x2000)=nil, 0x2000, 0x0, 0x4010, r0, 0x0) syz_open_dev$binder(&(0x7f0000585000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000001000-0x18)={0x0, 0x0, 0x0, 0x0}) mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r4 = accept$ax25(0xffffffffffffff9c, &(0x7f000000c000)={0x0, {"00000000000000"}, 0x0}, &(0x7f0000003000-0x3)=0x10) r5 = fcntl$getown(r1, 0x9) ioctl$sock_FIOSETOWN(r4, 0x8901, &(0x7f000000b000)=r5) r6 = syz_open_dev$binder(&(0x7f0000006000)="2f6465762f62696e6465722300", 0x0, 0x0) mmap$binder(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x4, 0x50, r0, 0x0) ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f000000a000-0x30)={0x4, 0x0, &(0x7f000000a000-0x10)=[@enter_looper={0x630c}], 0x0, 0x0, &(0x7f0000009000)=""}) ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f0000002000)={0x10, 0x0, &(0x7f0000006000-0x10)=[@increfs={0x40046304, 0x3}, @increfs={0x40046304, 0x4}], 0x48, 0x0, &(0x7f0000006000)="e2884ab115f878feb37a809f59945745f6382fba24ecba6fafcdba3dbe1b7af3c4dec55f078083284fbec90a18750ff85ef59a6a9afe7a0e4d85a03e8a2b3100045ae8e440f5d3eb"}) ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f0000007000)={0x10, 0x0, &(0x7f0000006000-0x2c)=[@acquire={0x40046305, 0x0}, @acquire={0x400c630e, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) mmap(&(0x7f0000000000/0x7000)=nil, 0x7000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r7 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r7, 0x40046207, 0x0) r8 = syz_open_dev$binder(&(0x7f0000003000)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_WRITE_READ(r8, 0xc0306201, &(0x7f0000003000-0x30)={0x8, 0x0, &(0x7f0000004000)=[@increfs={0x40406300, 0x0}], 0x0, 0x0, &(0x7f0000007000-0x80)=""}) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f0000008000-0x10)=[{r8, 0xa684, 0x0}, {r7, 0x420, 0x0}], 0x2, 0x100000000) ioctl$BINDER_THREAD_EXIT(r3, 0x40046208, 0x0) ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f0000009000-0x30)={0x8, 0x0, &(0x7f0000008000)=[@release={0x400c630f, 0x0}], 0x0, 0x0, &(0x7f0000001000-0xb3)=""}) ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f0000003000)={0x40, 0x0, &(0x7f0000006000-0x40)=[@enter_looper={0x630c}, @increfs_done={0x40046307, 0x390, 0x9}, @increfs={0x40046304, 0x4}, @increfs_done={0x40046307, 0xe2b4, 0x78edf2de}, @enter_looper={0x630c}, @enter_looper={0x630c}, @exit_looper={0x630d}], 0x92, 0x0, &(0x7f000000a000)="47bbb68c74912d603bbb804807e7fb12f453ab003fc446ac7e90b2022490593ad902b374c838a9d2bbb0fc6185665c46cba066159e940657f8724f1b15538b0b817795dfcb6d518f9d3e60ea2a80f9ec6488ef3ec6f98b88d851773d0ec917bc39bcc08fc5e779deb18bfd7dd6c08c63eb14e57a20ad3c0f0d6b6c6dd884428de7ad37729d3322a4555d638a4fedd7252677"}) ioctl$BINDER_SET_CONTEXT_MGR(r6, 0x40046207, 0x0) mmap(&(0x7f000000d000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f000000d000)=[{r0, 0x1000, 0x0}, {r8, 0x410, 0x0}, {r7, 0x402, 0x0}, {r4, 0x12, 0x0}, {r0, 0x4015, 0x0}, {r0, 0x200, 0x0}, {r2, 0x8, 0x0}], 0x7, 0x1f) ioctl$BINDER_THREAD_EXIT(r1, 0x40046208, 0x0) 2017/12/08 23:39:59 executing program 3: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) syz_open_dev$binder(&(0x7f000028c000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) r2 = syz_open_dev$binder(&(0x7f0000001000-0x3)="2f6465762f62696e6465722300", 0x0, 0x7fe) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000000)={0x7, 0x0, 0x0, 0x0}) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0x1) close(r2) r3 = syz_open_dev$binder(&(0x7f0000002000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) r4 = syz_open_dev$binder(&(0x7f0000003000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap(&(0x7f000057a000/0x4000)=nil, 0x4000, 0x2000004, 0x50, r4, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000003000-0x30)={0x0, 0x0, &(0x7f000057e000-0x8)=[], 0xf7, 0x0, &(0x7f000057e000-0xf7)="bb5827b7cc7fd2c8b880838b49dd6bc3ab1f3a2fb92227a4b3bbc423032ea5617d49d6f610037cff2d4e5da6a4c4dfc6c76427885eabc229349aa759489c2739573ae1d2e25fa38921a2ba2ce3646982ff097fe5b86ae8a46037d9a8d5897304faf4cb411495d3a37f583327a24f1402b713e49470ae82c15c14e1e50d2bfa6035f3b06ff2c68020797104ba59e67b3022de6b303d91b9ba7feb581b021184b26e74c9beb92d21fb2d9e836ccfa68e30b015e9af1512426b7e2022d347f9174eb03d43a77c81cec8e46cbc7eda157f7c1c8348402e7170012be340c6928ebea25edfa2f95898c1671bf73bafe857d313f5ecbf8fd14009"}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r3, 0xc018620b, &(0x7f0000005000-0x18)={0x7fc, 0x0, 0x0, 0x0}) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r5 = syz_open_dev$binder(&(0x7f000057b000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) close(r0) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f0000007000-0x48)=[{r3, 0x400, 0x0}, {r0, 0x4, 0x0}, {r5, 0x1000, 0x0}, {r4, 0x2000, 0x0}, {r5, 0x48, 0x0}, {r3, 0x88, 0x0}, {r5, 0x0, 0x0}, {r4, 0x2, 0x0}, {r0, 0x4008, 0x0}], 0x9, 0xeabb) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0xffff) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000057a000/0x4000)=nil, 0x4000, 0x2, 0x1113, r5, 0x0) mmap(&(0x7f0000005000/0x4000)=nil, 0x4000, 0x2, 0x51, r4, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000003000-0x30)={0x1c, 0x0, &(0x7f0000004000-0x1c)=[@release={0x40046306, 0x3}, @enter_looper={0x630c}, @release={0x40046306, 0x2}, @acquire={0x40046305, 0x4}], 0xa9, 0x0, &(0x7f0000002000)="c0928423a714b77fae8105c08a6987d1c07c99736eb7793cfa9964a7322d94160108d4200ff9897bcc76f229406324aacbaa3affd74c366abe6bbb14a2bb5f8bf0c478dae4a2ef245a71261a33b667a723f70f38fe8679a862c98c4da0716b7f761ffe21d136923c5d8f143177de568c412110d5a424188085e8ea06ababe2dc8f4a469ec348e365ce4811123f29ccf70854d3dd5a4cb086442c0a996893f8c6fe1f51b3c1f2fecd1f"}) poll(&(0x7f0000007000-0x20)=[{r4, 0x102, 0x0}, {r5, 0x8000, 0x0}, {r1, 0x0, 0x0}, {r5, 0x0, 0x0}], 0x4, 0x7fff) 2017/12/08 23:39:59 executing program 0: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x2) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) r2 = syz_open_dev$binder(&(0x7f000028c000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) r3 = syz_open_dev$binder(&(0x7f0000001000-0x3)="2f6465762f62696e6465722300", 0x0, 0x7fe) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000000)={0x7, 0x0, 0x0, 0x0}) ioctl$BINDER_SET_MAX_THREADS(r3, 0x40046205, 0x1) close(r3) r5 = syz_open_dev$binder(&(0x7f0000002000-0xd)="2f6465762f62696e6465722300", 0x0, 0x804) r6 = syz_open_dev$binder(&(0x7f0000003000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap(&(0x7f000057a000/0x4000)=nil, 0x4000, 0x2000004, 0x50, r6, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f0000003000-0x30)={0x0, 0x0, &(0x7f000057e000-0x8)=[], 0xf7, 0x0, &(0x7f000057e000-0xf7)="bb5827b7cc7fd2c8b880838b49dd6bc3ab1f3a2fb92227a4b3bbc423032ea5617d49d6f610037cff2d4e5da6a4c4dfc6c76427885eabc229349aa759489c2739573ae1d2e25fa38921a2ba2ce3646982ff097fe5b86ae8a46037d9a8d5897304faf4cb411495d3a37f583327a24f1402b713e49470ae82c15c14e1e50d2bfa6035f3b06ff2c68020797104ba59e67b3022de6b303d91b9ba7feb581b021184b26e74c9beb92d21fb2d9e836ccfa68e30b015e9af1512426b7e2022d347f9174eb03d43a77c81cec8e46cbc7eda157f7c1c8348402e7170012be340c6928ebea25edfa2f95898c1671bf73bafe857d313f5ecbf8fd14009"}) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000003000-0x18)={r4, 0x0, 0x0, 0x0}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000005000-0x18)={r4, 0x0, 0x0, 0x0}) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r7 = syz_open_dev$binder(&(0x7f000057b000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) close(r0) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f0000007000-0x48)=[{r5, 0x400, 0x0}, {r0, 0x4, 0x0}, {r7, 0x1000, 0x0}, {r6, 0x2000, 0x0}, {r0, 0x48, 0x0}, {r5, 0x88, 0x0}, {r7, 0x0, 0x0}, {r6, 0x2, 0x0}, {r0, 0x4008, 0x0}], 0x9, 0xeabb) ioctl$BINDER_SET_MAX_THREADS(r0, 0x40046205, 0x2000000000000002) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000057a000/0x4000)=nil, 0x4000, 0x2, 0x1113, r7, 0x0) mmap(&(0x7f0000005000/0x4000)=nil, 0x4000, 0x2, 0x51, r6, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f000000a000-0x30)={0x20, 0x0, &(0x7f000057e000-0x20)=[@release={0x40046306, 0x3}, @acquire={0x40046305, 0x1}, @release={0x40046306, 0x2}, @acquire={0x40046305, 0x4}], 0xa9, 0x0, &(0x7f0000002000)="c0928423a714b77fae8105c08a6987d1c07c99736eb7793cfa9964a7322d94160108d4200ff9897bcc76f229406324aacbaa3affd74c366abe6bbb14a2bb5f8bf0c478dae4a2ef245a71261a33b667a723f70f38fe8679a862c98c4da0716b7f761ffe21d136923c5d8f143177de568c412110d5a424188085e8ea06ababe2dc8f4a469ec348e365ce4811123f29ccf70854d3dd5a4cb086442c0a996893f8c6fe1f51b3c1f2fecd1f"}) poll(&(0x7f0000007000-0x20)=[{r6, 0x102, 0x0}, {r7, 0x8000, 0x0}, {r1, 0x0, 0x0}, {r7, 0x0, 0x0}], 0x4, 0x7fff) 2017/12/08 23:39:59 executing program 2: mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000005000)="2f6465762f62696e6465722300", 0x0, 0x0) close(r0) r1 = syz_open_dev$binder(&(0x7f0000009000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x20011, r1, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r2 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000001000-0xc)="2f6465762f72666b696c6c00", 0x400, 0x0) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_IRQ_BUSID(r2, 0xc0106403, &(0x7f000000a000)={0x5, 0x101, 0x4, 0xde01}) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000009000-0x30)={0x4, 0x0, &(0x7f0000004000-0x18)=[@register_looper={0x630b}], 0x48, 0x0, &(0x7f0000009000)="d8fc1dd16de371f1d99e3b4d488546c2bbb067efde9e55e9d1048602c19fe0b0078ade697201170fdbcc34816df860d3f87023a9d8567fa3297aac9d65b25106fc55ed85da8cb6f3"}) getsockopt$inet_sctp6_SCTP_CONTEXT(r2, 0x84, 0x11, &(0x7f0000002000)={0x0, 0x5}, &(0x7f0000006000)=0x8) mmap(&(0x7f000000b000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_DEFAULT_SEND_PARAM(r2, 0x84, 0xa, &(0x7f000000c000-0x20)={0x0, 0xffff, 0x20e, 0x80, 0x7fff, 0x5, 0x3, 0x2, r3}, &(0x7f0000001000-0x4)=0x20) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000007000)={0x4, 0x0, &(0x7f0000006000-0x2c)=[@acquire_done={0x40486311, 0x0, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) mmap(&(0x7f000000b000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) socket$packet(0x11, 0x2, 0x300) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000004000)={0x4c, 0x0, &(0x7f000000c000-0x80)=[@reply_sg={0x40486312, {{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x20, 0x8, &(0x7f000000a000)=[@fda={0x66646185, 0x1, 0x5, 0x0}], &(0x7f000000b000)=[0x0]}, 0x0}}], 0x0, 0x0, &(0x7f000000b000)=""}) 2017/12/08 23:39:59 executing program 5: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = openat$vga_arbiter(0xffffffffffffff9c, &(0x7f0000001000-0x11)="2f6465762f7667615f6172626974657200", 0x800, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet6_IPV6_IPSEC_POLICY(r0, 0x29, 0x22, &(0x7f0000001000)={{{@in6=@loopback={0x0, 0x0}, @in=@local={0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, {0x0, 0x0, 0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, {{@in6=@loopback={0x0, 0x0}, 0x0, 0x0}, 0x0, @in6=@empty={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, &(0x7f0000001000-0x4)=0xe8) r1 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap(&(0x7f000028e000/0x4000)=nil, 0x4000, 0x8, 0x810, r1, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000001000)={0x20, 0x0, &(0x7f0000291000-0x20)=[@register_looper={0x630b}, @acquire_done={0x40046307, 0x0, 0x0}, @acquire={0x40046305, 0x2}, @acquire={0x40046305, 0x3}, @acquire={0x40046305, 0x0}], 0x6b, 0x0, &(0x7f0000291000)="475ce4a1b626ba215e96709bba18acd080ba325021017172c1c63aa0f500a063edf6f3d535a30a244b67a5267c1d7edcd678d06a65f2662029830c1fd0ca9bc0cb8494920f33afe7f0b96dea897444c3df8db7804f95a65a7e98fc1b10ba07a2d6578dcce2ff63afcba204"}) mmap(&(0x7f000028f000/0x3000)=nil, 0x3000, 0x3, 0x10, 0xffffffffffffffff, 0x0) getsockopt$inet_tcp_buf(r0, 0x6, 0x1d, &(0x7f0000002000)="0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", &(0x7f0000000000)=0x2f) mmap(&(0x7f0000290000/0x2000)=nil, 0x2000, 0x50ddb91b76485cb2, 0x10, r1, 0x0) r2 = syz_open_dev$binder(&(0x7f0000292000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f000028f000)={0x24, 0x0, &(0x7f0000003000-0x24)=[@acquire_done={0x40046307, 0x0, 0x0}, @acquire={0x40046305, 0x0}, @acquire_done={0x40046307, 0x0, 0x0}, @increfs={0x40046304, 0x4}, @acquire={0x40046305, 0x0}, @register_looper={0x630b}], 0xaf, 0x0, &(0x7f0000001000)="3be35cfde15d9447a5bd5dfa7f76396664976ca1fe7b54337fcfae606b1c2824d73be576dd2d18ee78b3e8ef38f28c64182a3e96c398e89d16eb4dac4384b54e8bf1089bcd065edf89d7ffd68bd4da522928fbb934ea194f29b100879ac5a655931d662c55688e728c8b9da69c29a336ac28a1d0fa8e4443344c9afc7172247c066292baad71ad8bb487a6cebd5bc5866d12244827a850d0a55ad0b6e14aa10e187dd21f84c023d5758a3255394147"}) r3 = syz_open_dev$binder(&(0x7f000028f000-0xd)="2f6465762f62696e6465722300", 0x0, 0x2) r4 = syz_open_dev$binder(&(0x7f000028e000)="2f6465762f62696e6465722300", 0x0, 0x2) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000290000)={0x28, 0x0, &(0x7f0000003000)=[@increfs={0x40046304, 0x0}, @increfs={0x40046304, 0x2}, @enter_looper={0x630c}, @increfs_done={0x40046307, 0x2, 0x1b}], 0x23, 0x0, &(0x7f000028f000)="28311c3d150c39943fab91d7af79965750942dcbca9a7605911e52918aa76ba518cc5f"}) ioctl$BINDER_THREAD_EXIT(r1, 0x40046208, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r3, 0xc018620b, &(0x7f0000001000-0x18)={0x400, 0x0, 0x0, 0x0}) ioctl$SNDRV_SEQ_IOCTL_SET_CLIENT_INFO(r0, 0x40bc5311, &(0x7f0000291000)={0x3, 0x1, "636c69656e7431000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 0xffffffff80000004, "6d2cc531bc418b8a", "522e5583f79f9e9b0c9a0ffe35349b2831101b0923b30bd3e2d40fcaced2fdbe", 0x20000, 0x2, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) poll(&(0x7f0000003000-0x28)=[{r1, 0x8000, 0x0}, {r2, 0x10, 0x0}, {r3, 0x2001, 0x0}, {r1, 0x4001, 0x0}, {r1, 0x208, 0x0}], 0x5, 0x5) ioctl$BINDER_SET_MAX_THREADS(r3, 0x40046205, 0x7) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0x6) ioctl$BINDER_SET_CONTEXT_MGR(r2, 0x40046207, 0x0) mmap(&(0x7f0000290000/0x1000)=nil, 0x1000, 0x2000009, 0x5cdde75e55b5d0f4, r4, 0x0) ioctl$BINDER_SET_MAX_THREADS(r3, 0x40046205, 0x3) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0x1) ioctl$SNDRV_TIMER_IOCTL_NEXT_DEVICE(r0, 0xc0145401, &(0x7f000028e000)={0xffffffffffffffff, 0x3, 0x0, 0x3, 0x9b1e}) 2017/12/08 23:39:59 executing program 6: mmap(&(0x7f00004eb000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f00004ec000-0x1)="2f6465762f62696e6465722300", 0x0, 0x4873bcbee7cbff19) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) creat(&(0x7f0000000000)="2e2f66696c653000", 0xa0) ioctl$BINDER_SET_MAX_THREADS(r0, 0xc028660f, 0x0) 2017/12/08 23:39:59 executing program 7: mmap(&(0x7f00004eb000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f00004ec000-0x1)="2f6465762f62696e6465722300", 0x0, 0x200004) ioctl$BINDER_SET_MAX_THREADS(r0, 0x40087602, 0x80007d) 2017/12/08 23:39:59 executing program 7: mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000003000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) poll(&(0x7f0000001000)=[{r0, 0x102, 0x0}, {r0, 0x410, 0x0}, {r0, 0x6, 0x0}], 0x3, 0x3) mmap(&(0x7f0000000000/0x57e000)=nil, 0x57e000, 0x3, 0x32, 0xffffffffffffffff, 0x0) close(r0) r1 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) close(r0) close(r1) syz_open_dev$binder(&(0x7f00003b9000)="2f6465762f62696e6465722300", 0x0, 0x2000000002) r2 = syz_open_dev$binder(&(0x7f0000003000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) r3 = syz_open_dev$binder(&(0x7f0000005000)="2f6465762f62696e6465722300", 0x0, 0x0) close(r1) mmap(&(0x7f0000514000/0x3000)=nil, 0x3000, 0x2000000, 0x12, r3, 0x0) ioctl$BINDER_SET_MAX_THREADS(0xffffffffffffffff, 0x40046205, 0x0) mmap(&(0x7f0000005000/0x4000)=nil, 0x4000, 0x0, 0x51, r2, 0x0) r4 = syz_open_dev$binder(&(0x7f0000b64000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f0000002000-0x30)=[{r4, 0x1, 0x0}, {r4, 0x102, 0x0}, {r4, 0x3000, 0x0}, {r4, 0x1000, 0x0}, {r4, 0x120, 0x0}, {r4, 0xa405, 0x0}], 0x6, 0x7fffffff) mmap(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x2, 0x2031, r4, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000004000)={0x8, 0x0, &(0x7f0000007000-0x8)=[@decrefs={0x40046307, 0x4}], 0xd4, 0x0, &(0x7f0000009000-0xd4)="878797515210e2a178724499cb2db6372c20e5190ee0ba748b0f39934baae11f78495edd5dbba1b859e2090901a511a2926a0be5009ff881f87e5faff8357aa86db5969bd9c3029bb84043ef999d65eba2f4584fa391fb31239eddac283e108a46bcc785273cbf0b3f2bbc20957a332fc55975dee33d4093d741c014ba3cdd86e8769d5d61bc00fb9e4460c63d8f45d930878d24131f7ae8248064a8c1d7fedb8dd0211b57865a28a6842175c88743cc88f22ee80b68372d527330d08b445bc6fe8bba9e6da4c7a381cb47ef8c6d292517041b31"}) mmap(&(0x7f0000001000/0x2000)=nil, 0x2000, 0x0, 0x11, r0, 0x0) ioctl$BINDER_SET_MAX_THREADS(r3, 0x40046205, 0x1) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000004000-0x30)={0x2c, 0x0, &(0x7f0000001000-0x2c)=[@increfs_done={0x40046307, 0xfffffffffffffffc, 0x4}, @increfs={0x40046304, 0x2}, @decrefs={0x40046307, 0x2}, @release={0x40046306, 0x4}], 0x42, 0x0, &(0x7f0000004000-0x42)="24a693769e3bbe1aabd50abb628c90801f78345867df3af93e76bc405ad85d245c7aae8b97e7ef378055f5fe8ad24bfa233edbbb456007747a45185d6c23965ecc61"}) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x7c872, 0xffffffffffffffff, 0x1000) close(r2) syz_open_dev$binder(&(0x7f0000002000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) [ 47.695160] binder: 3651:3653 BC_FREE_BUFFER u0000000000000000 no match [ 47.703205] binder: undelivered TRANSACTION_COMPLETE [ 47.709051] binder: undelivered TRANSACTION_ERROR: 29189 [ 47.716344] binder: 3674:3675 IncRefs 0 refcount change on invalid ref 3 ret -22 [ 47.726266] binder: 3678:3686 ioctl c0306201 20001000 returned -14 [ 47.726446] binder: 3673:3684 ERROR: BC_REGISTER_LOOPER called without request [ 47.730309] binder: 3676:3682 Release 1 refcount change on invalid ref 3 ret -22 2017/12/08 23:39:59 executing program 6: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) syz_open_dev$binder(&(0x7f000028c000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) r2 = syz_open_dev$binder(&(0x7f0000001000-0x3)="2f6465762f62696e6465722300", 0x0, 0x7fe) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000000)={0x7, 0x0, 0x0, 0x0}) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r3 = openat$keychord(0xffffffffffffff9c, &(0x7f0000002000-0xe)="2f6465762f6b657963686f726400", 0x400800, 0x0) ioctl$BINDER_SET_MAX_THREADS(r3, 0x40046205, 0x0) close(r2) r4 = syz_open_dev$binder(&(0x7f0000002000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) r5 = syz_open_dev$binder(&(0x7f0000003000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap(&(0x7f000057a000/0x4000)=nil, 0x4000, 0x2000004, 0x50, r5, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000003000-0x30)={0x0, 0x0, &(0x7f000057e000-0x8)=[], 0xf7, 0x0, &(0x7f000057e000-0xf7)="bb5827b7cc7fd2c8b880838b49dd6bc3ab1f3a2fb92227a4b3bbc423032ea5617d49d6f610037cff2d4e5da6a4c4dfc6c76427885eabc229349aa759489c2739573ae1d2e25fa38921a2ba2ce3646982ff097fe5b86ae8a46037d9a8d5897304faf4cb411495d3a37f583327a24f1402b713e49470ae82c15c14e1e50d2bfa6035f3b06ff2c68020797104ba59e67b3022de6b303d91b9ba7feb581b021184b26e74c9beb92d21fb2d9e836ccfa68e30b015e9af1512426b7e2022d347f9174eb03d43a77c81cec8e46cbc7eda157f7c1c8348402e7170012be340c6928ebea25edfa2f95898c1671bf73bafe857d313f5ecbf8fd14009"}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000005000-0x18)={0x7fc, 0x0, 0x0, 0x0}) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f000057b000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) close(r0) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f0000007000-0x48)=[{r4, 0x400, 0x0}, {r0, 0x4, 0x0}, {r6, 0x1000, 0x0}, {r5, 0x2000, 0x0}, {r6, 0x48, 0x0}, {r4, 0x88, 0x0}, {r6, 0x0, 0x0}, {r5, 0x2, 0x0}, {r0, 0x4008, 0x0}], 0x9, 0xeabb) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0xffff) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000057a000/0x4000)=nil, 0x4000, 0x2, 0x1113, r6, 0x0) mmap(&(0x7f0000005000/0x4000)=nil, 0x4000, 0x2, 0x51, r5, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000003000-0x30)={0x20, 0x0, &(0x7f000057e000-0x20)=[@release={0x40046306, 0x3}, @acquire={0x40046305, 0x1}, @release={0x40046306, 0x2}, @acquire={0x40046305, 0x4}], 0xa9, 0x0, &(0x7f0000002000)="c0928423a714b77fae8105c08a6987d1c07c99736eb7793cfa9964a7322d94160108d4200ff9897bcc76f229406324aacbaa3affd74c366abe6bbb14a2bb5f8bf0c478dae4a2ef245a71261a33b667a723f70f38fe8679a862c98c4da0716b7f761ffe21d136923c5d8f143177de568c412110d5a424188085e8ea06ababe2dc8f4a469ec348e365ce4811123f29ccf70854d3dd5a4cb086442c0a996893f8c6fe1f51b3c1f2fecd1f"}) poll(&(0x7f0000007000-0x20)=[{r5, 0x102, 0x0}, {r6, 0x8000, 0x0}, {r1, 0x0, 0x0}, {r6, 0x0, 0x0}], 0x4, 0x7fff) 2017/12/08 23:39:59 executing program 3: mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) pipe(&(0x7f0000008000)={0x0, 0x0}) getsockopt$inet_tcp_int(r1, 0x6, 0x13, &(0x7f0000006000)=0x0, &(0x7f0000004000)=0x4) r2 = syz_open_dev$binder(&(0x7f0000003000)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000003000)={0x20, 0x0, &(0x7f0000005000-0x20)=[@decrefs={0x40046307, 0x1}, @decrefs={0x40046307, 0x3}, @enter_looper={0x630c}, @enter_looper={0x630c}, @acquire_done={0x40046307, 0x0, 0x0}, @enter_looper={0x630c}], 0x8f, 0x0, &(0x7f0000004000)="2fd13ce360012f614ab22e8678092979973247353767a6d30192641df8cf53459d745fc4977ef1699fc9552cc414fea7e457e45a70e9b562b3b5d3d6117fb225ec8c146ffe8e36721254952a64938e8b9d3c142b795419e8357fbe46c3f00de319502dd0d9db38eb11117423dc97fd824e39f57cfbc3ab353acb259dc7fa5cbb93679bffb970eb90ff249d0533e252"}) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$TIOCSWINSZ(r0, 0x5414, &(0x7f0000001000-0x8)={0x40, 0x4, 0x80000001, 0x347bdaa1}) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000007000)={0xc, 0x0, &(0x7f0000009000-0xc)=[@acquire_done={0x40486311, 0x0, 0x0}, @increfs={0x40046304, 0x0}], 0x2, 0x0, &(0x7f0000009000-0x2)="c55b"}) 2017/12/08 23:39:59 executing program 0: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r2 = request_key(&(0x7f0000001000)="727872706300", &(0x7f0000002000-0x5)={0x73, 0x79, 0x7a, 0x1, 0x0}, &(0x7f0000001000)="2f6465762f62696e6465722300", 0xfffffffffffffffb) add_key$user(&(0x7f0000002000-0x5)="7573657200", &(0x7f0000000000)={0x73, 0x79, 0x7a, 0x3, 0x0}, &(0x7f0000002000-0x9f)="882292533a30d781dca6b1e4db9279e3b442deb35b4004bd34e3570e9e2404a629d3169b236209ec96cc3a74d13b776b858706c63d9999e6c1925ed418abdf5e3bdece360c3f39f594082a305646dd91ad3c3b41d4b6d62a4fb56b740e9f523a71fcd1b0b6fa004a0549b4425fe430f8dbbeae1ea0aeb6b2f9b59efa27e34b1cfba05b0b36eed49c84292825130eaafb7404b9b124d6e58096c8b7b477b396", 0x9f, r2) syz_open_dev$binder(&(0x7f000028c000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) r3 = syz_open_dev$binder(&(0x7f0000001000-0x3)="2f6465762f62696e6465722300", 0x0, 0x7fe) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f0000000000)={0x7, 0x0, 0x0, 0x0}) ioctl$BINDER_SET_MAX_THREADS(r3, 0x40046205, 0x1) close(r3) r4 = syz_open_dev$binder(&(0x7f0000002000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) r5 = syz_open_dev$binder(&(0x7f0000003000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap(&(0x7f000057a000/0x4000)=nil, 0x4000, 0x2000004, 0x50, r5, 0x0) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000003000-0x30)={0x0, 0x0, &(0x7f000057e000-0x8)=[], 0xf7, 0x0, &(0x7f000057e000-0xf7)="bb5827b7cc7fd2c8b880838b49dd6bc3ab1f3a2fb92227a4b3bbc423032ea5617d49d6f610037cff2d4e5da6a4c4dfc6c76427885eabc229349aa759489c2739573ae1d2e25fa38921a2ba2ce3646982ff097fe5b86ae8a46037d9a8d5897304faf4cb411495d3a37f583327a24f1402b713e49470ae82c15c14e1e50d2bfa6035f3b06ff2c68020797104ba59e67b3022de6b303d91b9ba7feb581b021184b26e74c9beb92d21fb2d9e836ccfa68e30b015e9af1512426b7e2022d347f9174eb03d43a77c81cec8e46cbc7eda157f7c1c8348402e7170012be340c6928ebea25edfa2f95898c1671bf73bafe857d313f5ecbf8fd14009"}) ioctl$BINDER_GET_NODE_DEBUG_INFO(r4, 0xc018620b, &(0x7f0000005000-0x18)={0x7fc, 0x0, 0x0, 0x0}) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f000057b000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) close(r0) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f0000007000-0x48)=[{r4, 0x400, 0x0}, {r0, 0x4, 0x0}, {r6, 0x1000, 0x0}, {r5, 0x2000, 0x0}, {r6, 0x48, 0x0}, {r4, 0x88, 0x0}, {r6, 0x0, 0x0}, {r5, 0x2, 0x0}, {r0, 0x4008, 0x0}], 0x9, 0xeabb) ioctl$BINDER_SET_MAX_THREADS(r3, 0x40046205, 0xffff) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000057a000/0x4000)=nil, 0x4000, 0x2, 0x1113, r6, 0x0) mmap(&(0x7f0000005000/0x4000)=nil, 0x4000, 0x2, 0x51, r5, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000003000-0x30)={0x20, 0x0, &(0x7f000057e000-0x20)=[@release={0x40046306, 0x3}, @acquire={0x40046305, 0x1}, @release={0x40046306, 0x2}, @acquire={0x40046305, 0x4}], 0xa9, 0x0, &(0x7f0000002000)="c0928423a714b77fae8105c08a6987d1c07c99736eb7793cfa9964a7322d94160108d4200ff9897bcc76f229406324aacbaa3affd74c366abe6bbb14a2bb5f8bf0c478dae4a2ef245a71261a33b667a723f70f38fe8679a862c98c4da0716b7f761ffe21d136923c5d8f143177de568c412110d5a424188085e8ea06ababe2dc8f4a469ec348e365ce4811123f29ccf70854d3dd5a4cb086442c0a996893f8c6fe1f51b3c1f2fecd1f"}) 2017/12/08 23:39:59 executing program 6: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000000000)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000816000)={0x0, 0x0, &(0x7f0000001000-0xc)=[], 0x0, 0x0, &(0x7f0000000000)=""}) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mq_open(&(0x7f0000002000)="73797374656d00", 0x8c1, 0x80, &(0x7f0000002000-0x40)={0x4, 0xfffffffffffffffa, 0xff, 0x10000, 0x9, 0xf62, 0xffffffffffffdd51, 0x6}) ioctl$BINDER_WRITE_READ(r0, 0x2, &(0x7f0000001000)={0x4, 0x0, &(0x7f00004f0000)=[@exit_looper={0x630d}], 0x0, 0x0, &(0x7f00004f1000-0x2c)=""}) 2017/12/08 23:39:59 executing program 4: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) close(r0) r1 = syz_open_dev$binder(&(0x7f0000002000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) r2 = syz_open_dev$binder(&(0x7f0000003000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap(&(0x7f0000000000/0x4ee000)=nil, 0x4ee000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0x7) r3 = syz_open_dev$binder(&(0x7f00004ec000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f000035f000-0x18)={0x9, 0x0, 0x0, 0x0}) ioctl$BINDER_SET_MAX_THREADS(r3, 0xc0189436, 0x20000000) ioctl$BINDER_SET_MAX_THREADS(r3, 0x40046205, 0xff) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f00004ee000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f00004ef000-0x18)={0x44a2feb4, 0x0, 0x0, 0x0}) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f00004ef000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r4 = syz_open_dev$binder(&(0x7f000004e000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) r5 = syz_open_dev$binder(&(0x7f0000009000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x20011, r5, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f000000a000-0x30)={0x4, 0x0, &(0x7f000000a000-0x10)=[@register_looper={0x630b}], 0x1, 0x0, &(0x7f000000a000)="d8"}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000007000)={0x4, 0x0, &(0x7f0000006000-0x2c)=[@acquire_done={0x40486311, 0x0, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000005000)="2f6465762f62696e6465722300", 0x0, 0x0) close(r4) ioctl$BINDER_GET_NODE_DEBUG_INFO(r6, 0xc018620b, &(0x7f0000003000-0x18)={0x0, 0x0, 0x0, 0x0}) mmap(&(0x7f00004ef000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) [ 47.730314] binder: 3676:3682 Release 1 refcount change on invalid ref 2 ret -22 [ 47.730317] binder: 3676:3682 Acquire 1 refcount change on invalid ref 4 ret -22 [ 47.730324] binder: 3676:3682 ioctl c0306201 20002fd0 returned -11 [ 47.735034] binder: 3674:3675 IncRefs 0 refcount change on invalid ref 4 ret -22 [ 47.742758] binder: 3676:3682 ioctl c0306201 20002fd0 returned -14 [ 47.742783] binder: 3677:3685 ioctl c0306201 20002fd0 returned -14 [ 47.750143] binder: 3676:3690 ioctl 40046205 ffff returned -22 [ 47.751071] binder: 3681:3683 ioctl 40046205 ffff returned -22 2017/12/08 23:39:59 executing program 6: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) close(r0) r1 = syz_open_dev$binder(&(0x7f0000002000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) r2 = syz_open_dev$binder(&(0x7f0000003000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap(&(0x7f0000000000/0x4ee000)=nil, 0x4ee000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0x7) mmap(&(0x7f00004ee000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r3 = syz_open_dev$binder(&(0x7f00004ef000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f000035f000-0x18)={0x9, 0x0, 0x0, 0x0}) ioctl$BINDER_SET_MAX_THREADS(r3, 0xc0189436, 0x20000000) ioctl$BINDER_SET_MAX_THREADS(r3, 0x40046205, 0x1) mmap(&(0x7f0000005000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f00004ee000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r1, 0xc018620b, &(0x7f00004ef000-0x18)={0x44a2feb4, 0x0, 0x0, 0x0}) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r4 = syz_open_dev$binder(&(0x7f0000005000)="2f6465762f62696e6465722300", 0x0, 0x0) r5 = syz_open_dev$binder(&(0x7f0000009000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x20011, r5, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r5, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f000000a000-0x30)={0x4, 0x0, &(0x7f000000a000-0x10)=[@register_looper={0x630b}], 0x1, 0x0, &(0x7f000000a000)="d8"}) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000007000)={0x4, 0x0, &(0x7f0000006000-0x2c)=[@acquire_done={0x40486311, 0x0, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r6 = syz_open_dev$binder(&(0x7f0000005000)="2f6465762f62696e6465722300", 0x0, 0x0) close(r4) ioctl$BINDER_GET_NODE_DEBUG_INFO(r6, 0xc018620b, &(0x7f0000003000-0x18)={0x0, 0x0, 0x0, 0x0}) mmap(&(0x7f00004ef000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) 2017/12/08 23:39:59 executing program 1: mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000001000-0xd)="2f6465762f62696e6465722300", 0x0, 0x802) mmap(&(0x7f000028e000/0x4000)=nil, 0x4000, 0x8, 0x810, r0, 0x0) mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000001000)={0x20, 0x0, &(0x7f0000291000-0x20)=[@register_looper={0x630b}, @acquire_done={0x40046307, 0x0, 0x0}, @acquire={0x40046305, 0x2}, @acquire={0x40046305, 0x3}, @acquire={0x40046305, 0x0}], 0x6b, 0x0, &(0x7f0000291000)="475ce4a1b626ba215e96709bba18acd080ba325021017172c1c63aa0f500a063edf6f3d535a30a244b67a5267c1d7edcd678d06a65f2662029830c1fd0ca9bc0cb8494920f33afe7f0b96dea897444c3df8db7804f95a65a7e98fc1b10ba07a2d6578dcce2ff63afcba204"}) mmap(&(0x7f0000290000/0x2000)=nil, 0x2000, 0x50ddb91b76485cb2, 0x10, r0, 0x0) r1 = syz_open_dev$binder(&(0x7f0000292000-0xd)="2f6465762f62696e6465722300", 0x0, 0x800) mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f000028f000)={0x24, 0x0, &(0x7f0000003000-0x24)=[@acquire_done={0x40046307, 0x0, 0x0}, @acquire={0x40046305, 0x0}, @acquire_done={0x40046307, 0x0, 0x0}, @increfs={0x40046304, 0x4}, @acquire={0x40046305, 0x0}, @register_looper={0x630b}], 0xaf, 0x0, &(0x7f0000001000)="3be35cfde15d9447a5bd5dfa7f76396664976ca1fe7b54337fcfae606b1c2824d73be576dd2d18ee78b3e8ef38f28c64182a3e96c398e89d16eb4dac4384b54e8bf1089bcd065edf89d7ffd68bd4da522928fbb934ea194f29b100879ac5a655931d662c55688e728c8b9da69c29a336ac28a1d0fa8e4443344c9afc7172247c066292baad71ad8bb487a6cebd5bc5866d12244827a850d0a55ad0b6e14aa10e187dd21f84c023d5758a3255394147"}) r2 = syz_open_dev$binder(&(0x7f000028f000-0xd)="2f6465762f62696e6465722300", 0x0, 0x2) r3 = syz_open_dev$binder(&(0x7f000028e000)="2f6465762f62696e6465722300", 0x0, 0x2) r4 = openat$selinux_avc_hash_stats(0xffffffffffffff9c, &(0x7f0000291000-0x18)="2f73656c696e75782f6176632f686173685f737461747300", 0x0, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$LOOP_GET_STATUS(r4, 0x4c03, &(0x7f0000004000-0x98)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "0000000000000000000000000000000000000000000000000000000000000000", [0x0, 0x0], 0x0}) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000290000)={0x28, 0x0, &(0x7f0000003000)=[@increfs={0x40046304, 0x0}, @increfs={0x40046304, 0x2}, @enter_looper={0x630c}, @increfs_done={0x40046307, 0x2, 0x1b}], 0x23, 0x0, &(0x7f000028f000)="28311c3d150c39943fab91d7af79965750942dcbca9a7605911e52918aa76ba518cc5f"}) ioctl$BINDER_THREAD_EXIT(r0, 0x40046208, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r2, 0xc018620b, &(0x7f0000001000-0x18)={0x400, 0x0, 0x0, 0x0}) poll(&(0x7f0000003000-0x28)=[{r0, 0x8000, 0x0}, {r1, 0x10, 0x0}, {r2, 0x2001, 0x0}, {r0, 0x4001, 0x0}, {r0, 0x208, 0x0}], 0x5, 0x5) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0x7) ioctl$BINDER_SET_MAX_THREADS(r1, 0x40046205, 0x6) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) mmap(&(0x7f0000290000/0x1000)=nil, 0x1000, 0x2000009, 0x5cdde75e55b5d0f4, r3, 0x0) ioctl$BINDER_SET_MAX_THREADS(r2, 0x40046205, 0x3) ioctl$BINDER_SET_MAX_THREADS(r1, 0x40046205, 0x1) [ 47.751100] binder: BINDER_SET_CONTEXT_MGR already set [ 47.751103] binder: 3674:3694 ioctl 40046207 0 returned -16 [ 47.754179] binder: binder_mmap: 3676 20005000-20009000 bad vm_flags failed -1 [ 47.754473] binder: binder_mmap: 3681 20005000-20009000 bad vm_flags failed -1 [ 47.755772] binder: binder_mmap: 3677 20005000-20009000 bad vm_flags failed -1 [ 47.756583] binder_alloc: 3674: binder_alloc_buf, no vma [ 47.756615] binder: 3674:3694 transaction failed 29189/-3, size 0-0 line 3131 2017/12/08 23:39:59 executing program 7: mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000005000)="2f6465762f62696e6465722300", 0x0, 0x0) r1 = syz_open_dev$binder(&(0x7f0000009000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r2 = openat$selinux_context(0xffffffffffffff9c, &(0x7f000000a000-0x11)="2f73656c696e75782f636f6e7465787400", 0x2, 0x0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x20011, r1, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f000000a000-0x30)=[{r1, 0x0, 0x0}], 0x1, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000003000-0x30)={0x28, 0x0, &(0x7f0000005000)=[@exit_looper={0x630d}, @acquire={0x40046305, 0x2}, @increfs={0x40046304, 0x3}, @increfs={0x40046304, 0x1}, @register_looper={0x630b}, @release={0x40046306, 0x0}], 0xf, 0x0, &(0x7f0000001000)="f1e4ee1be5ad2888f321c2380c1766"}) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000b000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000b000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) poll(&(0x7f0000001000-0x20)=[{r2, 0x80, 0x0}, {r2, 0x401, 0x0}, {r0, 0x10, 0x0}, {r2, 0x1000, 0x0}], 0x4, 0x9) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000007000)={0x4, 0x0, &(0x7f0000006000-0x2c)=[@acquire_done={0x40486311, 0x0, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) 2017/12/08 23:39:59 executing program 0: mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) close(0xffffffffffffffff) r0 = syz_open_dev$binder(&(0x7f0000009000-0xd)="2f6465762f62696e6465722300", 0x0, 0x0) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x20011, r0, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$sg(&(0x7f000000b000-0x9)="2f6465762f73672300", 0x5, 0x40000) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet6_udp_int(r1, 0x11, 0x65, &(0x7f0000002000)=0x0, &(0x7f000000b000-0x4)=0x4) mmap(&(0x7f000000b000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$SNDRV_TIMER_IOCTL_INFO(r0, 0x80e85411, &(0x7f000000c000-0x31)="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000") ioctl$BINDER_SET_CONTEXT_MGR(0xffffffffffffffff, 0x40046207, 0x0) getsockopt$inet_sctp_SCTP_PRIMARY_ADDR(r1, 0x84, 0x6, &(0x7f0000009000)={0x0, @in6={{0xa, 0x1, 0x40, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, 0x3ff0000000000000}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}}, &(0x7f000000a000-0x4)=0x8c) mmap(&(0x7f000000b000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000b000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$inet_sctp6_SCTP_PARTIAL_DELIVERY_POINT(r1, 0x84, 0x13, &(0x7f000000c000-0x8)={r2, 0x1}, &(0x7f000000c000-0x4)=0x8) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000009000-0x30)={0x4, 0x0, &(0x7f0000004000-0x18)=[@register_looper={0x630b}], 0x48, 0x0, &(0x7f0000009000)="d8fc1dd16de371f1d99e3b4d488546c2bbb067efde9e55e9d1048602c19fe0b0078ade697201170fdbcc34816df860d3f87023a9d8567fa3297aac9d65b25106fc55ed85da8cb6f3"}) ioctl$PIO_UNIMAPCLR(r1, 0x4b68, &(0x7f0000009000-0x6)={0x7ff, 0x2, 0x7}) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r3 = openat$selinux_mls(0xffffffffffffff9c, &(0x7f000000b000-0xd)="2f73656c696e75782f6d6c7300", 0x0, 0x0) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) bind$unix(r3, &(0x7f000000b000-0xa)=@file={0x1, "2e2f66696c653000"}, 0xa) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000007000)={0x4, 0x0, &(0x7f0000006000-0x2c)=[@acquire_done={0x40486311, 0x0, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f000000c000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(0xffffffffffffffff, 0xc0306201, &(0x7f0000004000)={0x4, 0x0, &(0x7f000000c000-0x80)=[@exit_looper={0x630d}], 0xa3, 0x0, &(0x7f000000c000)="2f65b9cb755a6c107959d0e345221b3ac41c891225c630f409ddd0524427803e5e86f45e106f216cfdcdc5da54c643ff50f92323d5761b11a0718338f8d57a0b8a77b846633022233f95d2127e0859cf8ff95261083928b7298285ad1d118780a7c92ca07baf053d5c8d79ef07fc2ac1156c1823894d558bb35e9434ed247eeffdb72c7d099cb3d7409f0ba4212775c8aa3f893954956e4665f5f075ef7db4577227c3"}) [ 47.758210] binder: 3676:3682 Release 1 refcount change on invalid ref 3 ret -22 [ 47.758214] binder: 3676:3682 Release 1 refcount change on invalid ref 2 ret -22 [ 47.758217] binder: 3676:3682 Acquire 1 refcount change on invalid ref 4 ret -22 [ 47.758351] binder: 3681:3683 ioctl c0306201 20002fd0 returned -14 [ 47.760275] binder: 3677:3685 ioctl c0306201 20009fd0 returned -14 [ 47.760467] binder: 3697:3698 ioctl c0306201 20002fd0 returned -14 [ 47.761002] binder: 3697:3698 ioctl 40046205 ffff returned -22 [ 47.761117] binder: binder_mmap: 3697 20005000-20009000 bad vm_flags failed -1 2017/12/08 23:39:59 executing program 2: mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000003000)="2f6465762f62696e6465722300", 0x0, 0x800) mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) getsockopt$SO_PEERCRED(0xffffffffffffffff, 0x1, 0x11, &(0x7f0000005000-0xc)={0x0, 0x0, 0x0}, 0xc) tkill(r1, 0x19) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000003000-0x30)={0x8, 0x0, &(0x7f0000004000)=[@increfs={0x40046302, 0x0}], 0x1, 0x0, &(0x7f0000007000-0x80)="1d"}) 2017/12/08 23:39:59 executing program 4: mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000005000)="2f6465762f62696e6465722300", 0x0, 0x0) close(r0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r1 = syz_open_dev$binder(&(0x7f0000009000-0xd)="2f6465762f62696e6465722300", 0x0, 0x400800) mmap(&(0x7f0000000000/0x2000)=nil, 0x2000, 0x0, 0x20011, r1, 0x0) mmap(&(0x7f0000009000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r1, 0x40046207, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000009000-0x30)={0x4, 0x0, &(0x7f0000004000-0x18)=[@register_looper={0x630b}], 0x48, 0x0, &(0x7f0000009000)="d8fc1dd16de371f1d99e3b4d488546c2bbb067efde9e55e9d1048602c19fe0b0078ade697201170fdbcc34816df860d3f87023a9d8567fa3297aac9d65b25106fc55ed85da8cb6f3"}) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000007000)={0x4, 0x0, &(0x7f0000006000-0x2c)=[@acquire_done={0x40486311, 0x0, 0x0}], 0x0, 0x0, &(0x7f0000002000)=""}) r2 = mmap$binder(&(0x7f0000000000/0xa000)=nil, 0xa000, 0xffffffffffffffff, 0x10, r0, 0x0) ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000005000)={0x50, 0x0, &(0x7f0000004000-0x98)=[@dead_binder_done={0x40086310, 0x0}, @reply={0x40406301, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x30, 0x10, &(0x7f0000007000)=[@fd={0x66642a85, 0x0, 0xffffffffffffffff, 0x0, 0x0}, @flat={0x66646185, 0x0, r2, 0x0}], &(0x7f0000006000)=[0x18, 0x38]}}], 0x0, 0x0, &(0x7f000000b000-0x82)=""}) mmap(&(0x7f000000a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r3 = creat(&(0x7f000000b000-0x8)="2e2f66696c653000", 0x2) ioctl$SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT(r3, 0xc0bc5351, &(0x7f0000000000)={0xffffffff, 0x2, "636c69656e7430000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 0x2, "d1deb754afa1f34d", "4a1b1a69a4f091ac25d200b47c3f8328271ba4dfcaa3d20d629eadf6ce6cb960", 0x80000001, 0xffffffff, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}) 2017/12/08 23:39:59 executing program 1: mmap(&(0x7f0000002000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000003000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) r0 = syz_open_dev$binder(&(0x7f0000003000)="2f6465762f62696e6465722300", 0x0, 0x800) r1 = dup(r0) mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$DRM_IOCTL_GET_STATS(r1, 0x80f86406, &(0x7f0000000000)="00000000000000000000000000000000000000000000") mmap(&(0x7f0000004000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_SET_CONTEXT_MGR(r0, 0x40046207, 0x0) mmap(&(0x7f0000006000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0) ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f0000003000-0x30)={0x8, 0x0, &(0x7f0000004000)=[@increfs={0x40046302, 0x0}], 0x1, 0x0, &(0x7f0000007000-0x80)="1d"}) [ 47.761572] binder: 3697:3698 ioctl c0306201 20002fd0 returned -14 [ 47.763879] binder: 3674:3675 DecRefs 0 refcount change on invalid ref 912 ret -22 [ 47.763881] binder: 3674:3675 unknown command 0 [ 47.763885] binder: 3674:3675 ioctl c0306201 20003000 returned -22 [ 47.763917] binder: BINDER_SET_CONTEXT_MGR already set [ 47.763919] binder: 3674:3675 ioctl 40046207 0 returned -16 [ 47.777728] binder: 3697:3698 ioctl c0306201 20002fd0 returned -14 [ 47.780974] binder: 3696:3700 ioctl 40046205 1 returned -22 [ 47.781304] binder: 3697:3699 ioctl 40046205 ffff returned -22 [ 47.783272] binder: 3673:3695 got transaction with invalid offsets ptr [ 47.783321] binder: 3673:3695 transaction failed 29201/-14, size 0-8 line 3159 [ 47.783615] binder: binder_mmap: 3697 20005000-20009000 bad vm_flags failed -1 [ 47.793346] binder: 3702:3704 ioctl c0306201 20002fd0 returned -14 [ 47.794035] binder: binder_mmap: 3702 20005000-20009000 bad vm_flags failed -1 [ 47.802660] binder: 3678:3706 ioctl c0306201 2028f000 returned -14 [ 47.805455] binder: BINDER_SET_CONTEXT_MGR already set [ 47.805458] binder: 3674:3675 ioctl 40046207 0 returned -16 [ 47.806561] binder: undelivered TRANSACTION_ERROR: 29201 [ 47.814319] binder: 3711:3712 ioctl 40046205 7 returned -22 [ 47.821631] binder: 3711:3712 ioctl c0189436 20000000 returned -22 [ 47.821660] binder: 3711:3712 ioctl 40046205 ff returned -22 [ 47.823665] binder: 3711:3712 ERROR: BC_REGISTER_LOOPER called without request [ 47.826290] binder: 3674:3694 IncRefs 0 refcount change on invalid ref 3 ret -22 [ 47.826294] binder: 3674:3694 IncRefs 0 refcount change on invalid ref 4 ret -22 [ 47.826329] binder: 3673:3684 ERROR: BC_REGISTER_LOOPER called without request [ 47.827401] binder: 3714:3715 ioctl 40046205 7 returned -22 [ 47.830318] binder: BINDER_SET_CONTEXT_MGR already set [ 47.830321] binder: 3674:3694 ioctl 40046207 0 returned -16 [ 47.830538] binder_alloc: 3673: binder_alloc_buf, no vma [ 47.830570] binder: 3673:3684 transaction failed 29189/-3, size 0-8 line 3131 [ 47.830768] binder: 3714:3715 ioctl c0189436 20000000 returned -22 [ 47.830796] binder: 3714:3715 ioctl 40046205 1 returned -22 [ 47.834229] binder: 3714:3715 ERROR: BC_REGISTER_LOOPER called without request [ 47.838531] binder: 3674:3675 DecRefs 0 refcount change on invalid ref 912 ret -22 [ 47.838533] binder: 3674:3675 unknown command 0 [ 47.838536] binder: 3674:3675 ioctl c0306201 20003000 returned -22 [ 47.838547] binder: BINDER_SET_CONTEXT_MGR already set [ 47.838550] binder: 3674:3694 ioctl 40046207 0 returned -16 [ 47.842529] binder: undelivered death notification, 0000000000000000 [ 47.842653] binder: undelivered TRANSACTION_ERROR: 29189 panic: executor 3: failed: net.ipv6.conf.syz3.accept_dad = 0 net.ipv6.conf.syz3.router_solicitations = 0 failed to mkdir (errno 17) loop failed (errno 0) goroutine 14 [running]: main.execute1(0x3, 0xc420089040, 0xc421181c10, 0xc4212671a0, 0x169ce38, 0x0, 0x0, 0x0) /syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:769 +0xd52 main.execute(0x3, 0xc420089040, 0xc4212671a0, 0xc400000000, 0x169ce38, 0x0, 0x0, 0x0) /syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:670 +0x11a main.main.func4(0x3, 0xc420089040, 0xc4200643c0, 0xc420082140) /syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:332 +0xccd created by main.main /syzkaller/gopath/src/github.com/google/syzkaller/syz-fuzzer/fuzzer.go:261 +0xe14 [ 47.844674] binder: 3696